Blippy Users’ Credit Card Numbers Exposed in Google Search Results

[D69]

Sharing your credit card and online purchases with friends on the web sounds risky and it is. We’ve just discovered that several credit card transactions shared on social networking site Blippy have been exposed — with full credit card numbers included — in Google search results.

Tipster Trey Copeland wrote to us with a link to results for the search: site:blippy.com +”from card”. That search returns results showing detailed purchase information for transactions. Each result highlights that there was a “debit card transaction” or “card transaction,” the amount spent, the specific location (address included) and the full card number (as seen below).

Blippy users who share their credit card and bank account information do so with the assumption that this information will remain private. Blippy addresses security concerns with the following statement on its website:

“Blippy is very concerned about safeguarding the confidentiality of your personally identifiable information. We employ administrative, physical and electronic measures designed to protect your information from unauthorized access. We will make any legally-required disclosures of any breach of the security, confidentiality, or integrity of your unencrypted electronically stored personal data to you via email or conspicuous posting on the Services in the most expedient time possible and without unreasonable delay, consistent with (i) the legitimate needs of law enforcement or (ii) any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.”

Unfortunately it appears that there is a bug in the “administrative, physical and electronic measures” that ensure privacy, as Blippy’s security system has been breached in a very public and unfortunate way.

Given the breach, we suggest that Blippy users who have authorized the site to access their debit or credit transactions take immediate action to revoke access. We’ve e-mailed Blippy, notified of them of the situation and will update this post when we know more.

and update: Blippy Explains How Users’ Credit Card Numbers Ended Up in Google

This morning we learned that some users of purchase sharing site Blippy had their credit card numbers exposed in Google search results. The company is now out with their official statement on the matter in an attempt to assure users that “it’s a lot less bad than it looks.”

The statement also details that just four credit card numbers were exposed as the result of “an isolated incident from many months ago in our beta test” and that current users have not been affected.

Here’s how Blippy describes the chain of events that led to the appearance of credit card numbers in search results:
Say you buy lunch at Quiznos. Your credit card statement shows a complex entry like “Quiznos Inc Store #1234 San Francisco.” But Blippy cleans this up to only show ‘Quiznos.’ We refer to these as the “raw data” vs the “cleaned up data.”
Raw data is typically harmless. But it turns out that some credit cards (four out of thousands in this case) show the credit card number in the raw data. For example, “Quiznos Inc Store #1234 from card 4444….”
Many months ago when we were first building Blippy, some raw (not cleaned up, but typically harmless) data could be viewed in the HTML source of a Blippy web page. The average user would see nothing, but a determined person could see “raw” line items. Still, this was mostly harmless — stuff like store numbers and such. And it was all removed and fixed quickly.
Enter Google’s cache. Turns out Google indexed some of this HTML, even though it wasn’t visible on the Blippy website. And exposed four credit card numbers (but a scary 196 search results).
We’re working with Google now to remove Blippy from their cache, and they inform us it will be completed within a couple of hours.

Blippy also promises to take additional measures to up their third-party security checks and to be more careful in the future.

Nonetheless, given the already wary attitude of web denizens when it comes to sharing this type of confidential information, we’re not confident that this explanation will do much to calm the fears associated with handing over credit cards or banking information to the now blemished site.

SRC:__http://mashable.com/2010/04/23/blippy-credit-card-numbers/
SRC:__http://mashable.com/2010/04/23/blippy-statement/