Google Searches Expos Credit Card Numbers Of Blippy Members
A Google search page listed the Mastercard numbers for 127 transactions made by four Blippy members, according to The New York Times. "Those numbers could be easily scooped up by identity thieves and used for fraudulent purposes," The New York Times said.
Blippy, a site that has found its niche by allowing users to publish their credit card purchases online, acknowledged the breach in a blog post Friday, but downplayed the incident.
"While it looks super-scary and certainly sucks for the four people who were affected (to whom we apologize are contacting) and is embarrassing to us, it's a lot less bad than it looks," said Blippy co-founder Philip Kaplan in a blog post.
As a general rule, Kaplan said, the Blippy site does not typically publish raw data -- information that is usually limited to store numbers and addresses, but can apparently include credit card numbers as well.
However, Kaplan explained that the site experienced an error a few months ago that exposed raw data -- including four credit card numbers.
"Still, this was mostly harmless -- stuff like store numbers and such. And it was all removed and fixed quickly, months ago," Kaplan said.
According to Kaplan, Google had indexed some of the raw HTML transaction data that wasn't displayed on the Blippy site, but which somehow enabled the credit card numbers to be exposed on public searches.
Kaplan said that Blippy contacted Google once it learned of the breach, and the search engine giant promptly removed the credit card numbers from its cache. He also asserted that the company was attempting to contact the four breach victims to apologize and repair the damage.
"While we take this very seriously and it is a headache for those involved (to whom we apologize and are contacting), it's important to remember that you're never responsible if someone uses your credit card without your permission. That's why it's okay to hand your credit card over to waiters, store clerks, and hundreds of other people who all have access to your credit card numbers," Kaplan said. "Still, this should have never happened and we take responsibility."
The New York Times reported that Blippy secured $11 million in venture capital funding, which Kaplan said would help enable the company to make future investments in security architecture as well as third-party security audits.