On Friday, we reported that Blippy, a social network for shoppers cofounded by Fucked Company and AdBrite founder Philip “Pud” Kaplan, had accidentally published some of its members’ credit card numbers into Google. Kaplan was quick to respond. “It’s a lot less bad than it looks.”
True, the 127 transactions we found in Google turned out to contain only four unique card numbers, two of whom belonged to the same person. The cards’ expiration dates weren’t published, making an unauthorized charge difficult, if not impossible. Blippy contacted all three members to ensure there had been no incidents of fraud.
This morning, Blippy tweeted that they are going back over their January and February data, and are working with Google to scrub any numbers that got into the search giant’s index. On the phone at 11:29 AM Pacific, Kaplan told me he had just received word from Google that all credit card numbers on Blippy.com pages had been purged from Google’s index. CEO Ashvin Kumar wrote a blog post that explains how “only a small subset of our users have the potential to be affected by this incident.”
Even so, both Blippy and VentureBeat found another credit card number and name in Google earlier this morning. It was only one, but it proves Blippy can’t say with certainty that all numbers have been found. “Obviously, we accept full responsibility,” Kaplan said, “and we still have multiple people working on it. We’re not saying we’re done.”
The point here isn’t that Blippy goofed. It’s that unplanned oversharing of personal information will likely become a bigger and bigger problem as Facebook, Twitter and other social networks find more ways to pull more personal data onto the Internet and spread it around to multiple sites and services. Why did Blippy allow Google to crawl its members’ pages, the source code for which included data not meant to be published to anyone but the individual members? Why is Blippy still Googleable at all, instead of, say, blocking the search engine with a robots.txt file? “For the same reason Yelp is in Google,” Kaplan said. “We want people looking for people and places to find us.”
The computers hooked up to the Net continue to become more and more powerful, more and more clever, and more and more interconnected. To me, that’s pretty cool. But businesses and their customers need to understand the risks.
Finding Blippy members’ card numbers didn’t require deep-geek hacking. Simple Google searches for words or abbreviations that are sometimes paired with a credit card number on Blippy were sufficient. It wouldn’t be hard for a serious cracker to write a program that auto-scours Google for anything on Blippy that looks like a credit card or Social Security number. That’s probably why Google blocked all searches of site:blippy.com soon after the news got out Friday. Maybe they should have left it that way this morning.
The fifth card number leaked from Blippy to Google belongs to a talk radio host who we think will be amused rather than angry. We’ve contacted him, but we’re scrubbing his name until then.
Companies: Blippy, Google