UPDATED Users who sign up for Blippy, the service that encourages sharing personal transactions online, do so with the expectation of becoming more open about their purchase data. But they don’t expect their credit card numbers to be posted online, which is what seems to have happened. If you search Google using the terms “site:blippy.com + ‘from card,’” you’ll see what appear to be a set of transactions at Starbucks, Exxon Mobile, Kroger’s and other stores. Many of them are in Michigan and many of them appear to be from a single credit card.
To be clear, there are only 196 results for that search query. But Blippy has yet to speak up for itself, more than three hours after VentureBeat’s Owen Thomas tweeted about it, and in the meantime “Blippy Users’ Credit” has become a trending topic on Twitter. Blippy’s privacy page promises to tell users of security breaches “in the most expedient time possible and without unreasonable delay.”
Update: Blippy founder Philip Kaplan has now posted on the company blog and spoken to at least one reporter about the breach. He said the credit card numbers shared belonged to a total of four users who had been early beta testers. Blippy had since cleaned up its data but Google was still caching it.
We take security seriously and want to assure Blippy users that this was an isolated incident from many months ago in our beta test, and doesn’t affect current users.
While it looks super-scary and certainly sucks for those few people who were affected, and is embarrassing to us, it’s a lot less bad than it looks.
He gave further detail to the New York Times,
Mr. Kaplan said that early on, Blippy started disguising the raw transaction data behind the scenes, but it did not know about the breach until today. He added, “This still looks pretty bad.”
Blippy is a brand-new startup that just raised $11.2 million in new funding at a valuation of $46.2 million — and yesterday was the recipient of a New York Times writeup about the new age of personal information sharing online. What the company doesn’t need is the perception that it’s cavalier with user data. A little breach goes a long way against user trust — and the service is on the hook for a lot of growth to live up to that new funding.