On Friday, we reported that Blippy, a social network for shoppers cofounded by FuckedCompany and AdBrite founder Philip “Pud” Kaplan, had accidentally published some of its members’ credit-card numbers into Google. Kaplan was quick to respond. “It’s a lot less bad than it looks.”
It turned out it was worse than Kaplan thought when he wrote that post: a VentureBeat tipster turned up another credit-card number by Googling Blippy this morning.
True, the 127 transactions we found in Google on Friday turned out to contain only four unique card numbers, two of which belonged to the same person. The cards’ expiration dates weren’t published, making an unauthorized charge difficult, if not impossible. Blippy contacted all three members to ensure there had been no incidents of fraud.
This morning, Blippy tweeted that they are going back over their January and February data — a time before they systematically eliminated credit-card numbers from the data they published about their users’ spending habits — and were working with Google to scrub any numbers that got into the search giant’s index. On the phone at 11:29 a.m. Pacific Time, Kaplan told me he had just received word from Google that all credit-card numbers on Blippy.com pages had been purged from Google’s index. CEO Ashvin Kumar wrote a blog post that explains how “only a small subset of our users have the potential to be affected by this incident.”
Even so, both Blippy and VentureBeat found another credit-card number and name in Google earlier this morning. It was only one, but it proves Blippy can’t say with certainty that all numbers have been found.
“Obviously, we accept full responsibility,” Kaplan said, “and we still have multiple people working on it. We’re not saying we’re done.”
The point here isn’t that Blippy goofed. It’s that unplanned oversharing of personal information will likely become a bigger and bigger problem as Facebook, Twitter and other social networks find more ways to pull more personal data onto the Internet and spread it around to multiple sites and services.
Why did Blippy allow Google to crawl its members’ pages, the source code for which included data not meant to be published to anyone but the individual members? Why is Blippy still Googleable at all, instead of, say, blocking the search engine with a robots.txt file?
“For the same reason Yelp is in Google,” Kaplan said. “We want people looking for people and places to find us.”
The computers hooked up to the Net continue to become more and more powerful, more and more clever, and more and more interconnected. To me, that’s pretty cool. But businesses and their customers need to understand the risks.
Finding Blippy members’ card numbers didn’t require deep-geek hacking. Simple Google searches for words or abbreviations that are sometimes paired with a credit card number on Blippy were sufficient. It wouldn’t be hard for a serious cracker to write a program that auto-scours Google for anything on Blippy that looks like a credit-card or Social Security number. That’s probably why Google blocked all site-specific searches of Blippy.com soon after the news got out Friday. Maybe they should have left it that way this morning.
The fifth card number leaked from Blippy to Google belongs to Australian talk-show host and comedian Josh Withers. Withers was amused rather than alarmed when we contacted him. He blogged a response for us. “I pride myself on my early adoption of technology, including Blippy,” he wrote, “and all early adopters know that when you play with fire, Google caches it.”
VB’s research team is studying mobile user acquisition: Chime in here, and we’ll share the results.