The Blippy Leak: How Credit Card Numbers Got In Google
I don't know if you've heard, but social shopping site Blippy made a little slippy.
Blippy, a four-month-old startup funded partially by Twitter co-founder Evan Williams, lets you create a "social stream" of all your credit card purchases. You set up an account, punch in your credit card number, and then Blippy automatically posts all of your purchases (including their prices) to your profile.
It's basically a massive privacy invasion, only it's voluntary -- and, for whatever reason, people like it. Today, however, a few of Blippy's users realized the service was inadvertently sharing far more than they realized.
Blippy's Exposed Credit Cards: The Google Discovery
Someone discovered that by performing a targeted Google search, you could find a small handful of users' credit card numbers hidden within their Blippy profile pages. The glitch was initially publicized in a report posted Friday at tech blog VentureBeat.
The credit card numbers were apparently stored inside the HTML code of the Blippy.com pages. They wouldn't show up when viewing the pages in a normal browser, but they were present and therefore accessible to the eyes of a search engine.
The search in question -- "site:blippy.com +"'from card'" -- instructed Google to dig up the section of the text that contained the credit card data. Blippy co-founder Philip Kaplan says the mistake was the result of some sloppy coding present in Blippy's pages back when the site first went online.
"It was all removed and fixed quickly, months ago," Kaplan promises. "While it looks super-scary ... and is embarrassing to us, it's a lot less bad than it looks."
Kaplan says only four of the service's users were affected. Even though Blippy corrected the coding problem some time ago, those users' credit card data was still accessible due to the cached nature of the snippets -- those short blurbs you see on search result pages -- used by Google.
Google's Blippy Solution
Thankfully, Blippy was zippy, and all is now skippy. The company contacted Google soon after learning about the leak, and within about two hours, the G-Team was able to get the credit card info permanently off of its pages.
A Google spokesperson tells me any webmaster can request to have info pulled from Google's cache using its URL removal tool. (Any webmaster -- that doesn't mean you can write in and ask to have those provocative party pics from spring break 2004 annihilated.) Typically, it takes some time for the request to be processed and the information to be removed. Given the nature of this case and the publicity surrounding it, though, Google prioritized the request and took "special measures" to get the credit card numbers deleted post haste.
Conduct the same targeted Blippy search now, and you'll still see the pages listed -- but the snippets that had the numbers are long gone.
Blippy's Credit Card Victims
Blippy, for its part, says it's taking steps to strengthen its site security in light of this lapse. As for the users affected, at least one has come forward so far. The man, a 38-year-old firefighter named Bradd Dantuma, somewhat fittingly learned about the breach through social media. A friend of his, he tells MainStreet.com, sent him a message on Google Buzz:
"Psst... You might want to cancel your Blippy account. And probably change your credit card number."
Dantuma tells MainStreet.com he isn't aware of any fraudulent purchases on his credit card as of yet, but that doesn't make the experience any less jarring.
"Just to see my name pop up on all these Web sites and to see all these articles written about it, it's just a little shocking," he says. "It'll make me think twice before signing up for anything else."
Bradd Dantuma's Blippy profile, suffice it to say, is no longer online.