The new trend in online sharing has been experiencing an explosion lately. Just yesterday, The New York Times did a story on the new ways that people are sharing their personal information online. But then today, it came out that one of those companies exposed some of its users’ credit card numbers to Google search.
Oops! Online purchase sharing site Blippy just closed a $11.6 million round of funding. And it’s a good thing it did, because the company is going to continue getting a lot of flack for this for a long time.
Blippy lets its users share their purchasing information with their friends. According to The New York Times:
“This is all part of one big
trend: People are becoming more relaxed
about privacy, having come to recognize that publicizing little pieces
of information about themselves can result in serendipitous
conversations — and little jolts of ego gratification.”
But no one on the site expected to publicize their credit card numbers. Except that is what happened this week — or at least what was discovered this week.
Blippy has never published personal credit card information. But it is included in the information it does use, before the company scrapes it out to share less dangerous purchasing information among users. Several months ago, when Blippy was in public beta, this transaction data was part of the underlying code on Blippy’s site. And it turned up in Google search results. Until today, when someone searched the terms “Blippy” and “from card” they were rewarded with credit card information from Blippy users.
Not all users were exposed. The credit card numbers shown belonged to only
four Blippy beta users. Since coming
beta, Blippy has cleaned up its code so Google cannot scrape this info
from the site.
Blippy cofounder Philip Kaplan
“While it looks super-scary and
certainly sucks for those few people who
were affected, and is embarrassing to us, it’s a lot less bad than it
On the ratios, it is. Not even all of Blippy’s beta users were affected. Four out of thousands is not a bad percentage. But it’s not good. And the fact that this was available on Google for MONTHS is equally bad news for Blippy.
Like the rest of us, the company only found out about the breach today. And while it’s completely possible that no one’s credit card info was actually stolen, this incident underlines a growing issue online.
Tiny start-ups trying to create “serendipitous conversations” are now dealing with very sensitive information online. And while consumers are trusting that they will be careful with their information, that’s not always possible.
Mostly because they’re creating their business models as they go. And their code. There is a very large room for error that these companies are working with. Take for example event sharing company Hot Potato, which relaunched at SXSW and accidentally rebooted its database, sending out hundreds of repeat emails and deleting the histories of many of its users.
Many people are wary of sharing intimate information online because they are not sure how it will be handled. Count many big companies among them. Including Amazon, which blocked its users from sharing their purchasing history with Blippy last year. Blippy got around that hurdle, by requesting access to users’ Gmail accounts, which they gladly handed over. They scraped users’ Amazon purchases from their emails and put them up for other users to see.
Blippy gets around 125,000 visitors a month. That’s nothing compared to Amazon’s traffic. And while there is no indication that Amazon would have been affected by this recent security lapse, it is sure to scare off larger companies signing on to work with Blippy in the future. Errors like this — even if it only truly affected four people — serve as a reminder that the new social web is not as safe as many would like.