Blippy, a social-network for people who want to publish their purchasing activity, was busted on Friday for publishing some of its users’ credit card numbers.
By Friday afternoon, Blippy said it fixed the problem.
But on Saturday, we discovered Blippy had also published a user’s debit card information.
Now, in an apology post, Blippy says it has a new fix. Let’s hope this one sticks!
Here’s the post:
Blippy Issues, Resolutions, Plan
It has been a rocky weekend for Blippy. The weekend began with a front page article in the New York Times announcing our Series A financing. The elation didn’t last long. A few hours later, reports surfaced about the discovery of credit card numbers within Google’s cached search results. Our mood quickly went from elation to disbelief to disappointment. We are very sorry.
However, this is a very serious issue and simply apologizing is not enough. We’ve spent the last 48 hours working around the clock to dissect the issues, reach out to affected users, and put together a plan to ensure this never happens again.
- In early February, due to a technical oversight on our part, some raw transaction data appeared within the HTML code on some Blippy pages for about half a day. Raw transaction data is the messy one-line sentence that appears on a bank or credit card statement. For example, if you buy lunch from Quiznos, your credit card statement might display the raw transaction data as “Quiznos Inc Store #1234 San Francisco”. Blippy tries to clean this data so it appears as simply “Quiznos”.
- Up until that day in early February, based on the raw transaction data we had observed during our beta period, we incorrectly considered raw data fairly harmless. It typically is. However, during that half day period of exposure, we were informed that raw transaction data sometimes contains airline confirmation numbers, which in combination with a user’s last name could be used to check someone into a flight. As we have always strived to be highly attentive to potential security and privacy problems, we quickly patched the issue and took extra precautions to never ever expose raw transaction data again.
- What we did not realise until Friday morning was the fact that in that half day period, Google had crawled and indexed a portion of Blippy’s pages. Even though the sensitive information was hidden in the HTML and not visible in plain view, the Google crawler observed it and recorded the information to put into its search index. Google effectively took a snapshot of Blippy during that half day period. Though our site has changed considerably since early February, Google’s snapshot of these pages did not update, which effectively extended a half day exposure into a three month exposure. While Google provides webmasters with tools to remove pages from its index, we overlooked the fact that Blippy could have been crawled by Google during the period of the exposure.
- Naturally, when users learned of the issue this weekend, some wanted to disconnect their credit card accounts or delete their entire user account. At the same time, Blippy’s servers had been under increased load due to the media attention. This resulted in many failed requests to delete accounts because we had not invested sufficiently in making our account deletion process as programatically efficient as it could be.
- We spent Friday simultaneously trying to understand (a) what had led to sensitive information appearing on Google, and (b) working with Google to remove the search snippets and search results on Google for the discovered cards. Google removed these 200 or so URLs promptly.
- On Saturday morning, upon the discovery of an additional card, we requested Google remove all snippets and cached pages related to Blippy. This affected some 20,000 pages, much more than what was exposed, but more importantly it effectively removed any remaining sensitive information. Many thanks to Google for their responsiveness. The manner and speed at which they operated was extremely impressive.
- While we are pleased that the sensitive data is no longer accessible via Google, it is important to acknowledge that there was a period of nearly 3 months during which this data was publicly accessible. To this end, as I mentioned in my previous update, our team looked at all of the data published to our service during that time period, in an effort to identify the extent to which information may have been accessible to the public via Google. We were extremely conservative in viewing the data for potential exposure (even if we were unable to confirm that such exposure had taken place). As a result, we reached out to a total of eight individuals.
- We also fixed the errors associated with the deletion of credit card accounts and user accounts.
We have now reached out to all affected users, notified them of the issue, and expressed our sincere remorse. We will be working with these users to assist them in resolving any issues that may arise out of this unfortunate situation. They trusted us with their information, and we are truly disappointed to have let them down. While these users reflect a tiny sliver of our user base, any number greater than zero is deeply unacceptable to us. We’ve built Blippy — and will continue to build Blippy — on the foundation of our community and the trust they place in us to create a safe, secure, and fun experience to share purchases.
After reaching a resolution, we spent today working on a go-forward plan to ensure that this never happens again.
- Hire a Chief Security Officer and associated staff that will focus solely on issues relating to information security.
- Have regular 3rd-party infrastructure & application security audits.
- Continue to invest in systems to aggressively filter out sensitive information.
- Control caching of information in search engines.
- Create a security and privacy centre that contains information about what we are doing to protect you.
The security of our users is our highest priority. If there are additional measures you would like us to take to improve Blippy’s security, please do not hesitate to email us at [email protected] We will personally respond to each and every recommendation.
We deeply regret what happened and are working tirelessly to regain the trust of our community. Thank you for reading.
Ashvin Kumar Co-Founder & CEO [email protected]
Business Insider Emails & Alerts
Site highlights each day to your inbox.