Blippy, which connects ‘friends’ on its social network so that they can exchange information about what they’re buying, allows people to automatically post information about what is being spent on their credit card. When a user searched on the term “Card from#”, 196 results showed up detailing full credit card numbers for four users, along with what they used to buy, where, and how much it cost.
Blippy, which was just awarded $11.2m in funding and was profiled by the New York Times, published an apology explaining what had happened. During a beta test several months ago, the company’s developers had noticed that some raw data from transactions logged by users were not stripped out. The raw data, which never made its way to the public Blippy website, was nevertheless part of the HTML data indexed by Google. The indexed data was cached, which is how it showed up in web results.
Although 196 search results showed up, they only affected the credit card numbers of four users, Blippy said. “We contacted Google and they promptly removed the four credit card numbers from their cache, so they are no longer visible.”
“We are hugely focused on security and are making efforts to bolster our security to ensure that nothing like this ever happens again,” Blippy assured, adding that a significant proportion of its recent funding round is being used to upgrade its infrastructure. “We are also conducting third-party security audits, and will be a lot more careful before new features are released, even if it's during a small, limited beta test period.”