Credit Card Purchase Site Blippy Weathers Embarrassing Card-Data Breach
Fast-growing social-networking site Blippy hit a rough patch this week when it revealed an internal glitch that resulted in exposing certain users’ credit card data on Google Inc.’s search engine for some three months.
Palo Alto-based Blippy, which has gained some 125,000 followers since its launch in December, touts itself as “a fun and easy way to see and discuss what everyone is buying.” The site enables users to register a credit card with the site, which tracks users’ purchases at such merchants as Apple Inc.’s iTunes, Amazon.com and Netflix.
Blippy promises to extract users’ sensitive card data, but the company says it slipped up recently during a beta test by briefly exposing several users’ card data. Google subsequently replicated that data in a routine information-search sweep, exposing it publicly for nearly three months.
“In early February, due to a technical oversight on our part, some raw transaction data appeared within the HTML code on some Blippy pages for about half a day,” Blippy co-Founder and CEO Ashvin Kumar wrote on the company’s blog April 26, explaining that while it patched the breach, the company was unaware of Google’s data sweep.
Blippy says it “incorrectly considered raw data fairly harmless,” noting that raw transaction data can contain airline-confirmation numbers, which in combination with a user’s last name could be used to check an imposter in to a flight.
When it uncovered the scope of the breach, Blippy says it contacted eight cardholders potentially affected by the breach and has since patched the problem, including removing all sensitive card data from Google. Blippy plans to hire a chief security officer and to invest in “regular third-party infrastructure and application security audits,” Kumar says.
Executives at Blippy were not available for comment, but Kumar acknowledges that when news of the exposure began to spread on April 23, some alarmed customers were unable to disconnect their credit cards from their Blippy accounts because of site-traffic overload. “This resulted in many failed requests to delete accounts because we had not invested sufficiently in making our account-deletion process as programatically efficient as it could be,” Kumar wrote.
Similar social-networking sites that offer personal details, including users’ locations, recently began rising in popularity, raising questions among some observers about privacy risks. Backed by Charles River Ventures and Sequoia Capital, Blippy recently closed $11.6 million in private funding.
“I believe there is great risk for a lot more of this type of thing happening, as developers rush to put social-networking sites together as fast as possible while this is a hot concept,” Terry Cutler, premium services engineer at computer infrastructure software maker Novell Inc., tells PaymentsSource. “We have run tests on some of these new social-networking sites and have found huge security holes and a lack of awareness of the basic security standards out there.”