Blippy And Credit Card Numbers

Today someone discovered a Google search that displays the credit card numbers of 4 Blippy users.

Blippy sincerely apologizes to those 4 users and we have reached out to them.  We will do what it takes to ensure that they are minimally affected.

The credit card numbers are appearing in Google.com’s cache from 2 months ago, and never appeared on Blippy (more on that below).  As such, we’ve reached out to Google and are confident that they will act as quickly as possible to remove the credit card numbers from their servers. (Update: Google has successfully removed the numbers from their cache)

We are serious about security and want to assure Blippy users that this was an isolated incident from many months ago in our beta test, and doesn’t affect current users.  Also, this was not the result of a hack or security breach to our servers.

Here are the details:

  • Say you buy lunch at Quiznos.  Your credit card statement shows a complex entry like “Quiznos Inc Store #1234 San Francisco.”  But Blippy cleans this up to only show “Quiznos.”  We refer to these as the “raw data” vs the “cleaned up data.”
  • Raw data is typically harmless.  But it turns out that some credit cards (4 out of thousands in this case) show the credit card number in the raw data.  For example, “Quiznos Inc Store #1234 from card 4444….”
  • Many months ago when we were first building Blippy, some raw (not cleaned up, but typically harmless) data could be viewed in the HTML source of a Blippy web page.  The average user would see nothing, but a determined person could see “raw” line items.  Still, this was mostly harmless — stuff like store numbers and such.  And it was all removed and fixed quickly, months ago.
  • Enter Google’s cache.  Turns out Google indexed some of this HTML, even though it wasn’t ever visible on the Blippy website, and was removed from the HTML code months ago.  Which exposed 4 credit card numbers on Google.com (but a scary 196 search results).
  • We have contacted Google to requested that they remove all credit card numbers from their servers.

We take this very seriously and are deeply sorry for the extreme inconvenience we caused to the 4 affected users.  We will help make sure they are minimally affected.

In general, it’s important to remember that you’re never responsible if someone uses your credit card without your permission. That’s why it’s okay to hand your credit card over to waiters, store clerks, e-commerce sites, and hundreds of other people who all have access to your credit card numbers. Still, this should have never happened and we take responsibility.

We are hugely focused on security and are making efforts to bolster our security to ensure that nothing like this ever happens again. We recently raised $11.2 million from investors and are using a significant amount of that to build a world-class, secure infrastructure. We are also conducting third-party security audits, and will be a lot more careful before new features are released, even if it’s during a small, limited beta test period.

Contact us for any reason at hello@blippy.com

Thank you for reading.

Philip Kaplan
Co-Founder
%d bloggers like this: