Blog Post

Blippy Caught in Apparent User Privacy Breach

UPDATED Users who sign up for Blippy, the service that encourages sharing personal transactions online, do so with the expectation of becoming more open about their purchase data. But they don’t expect their credit card numbers to be posted online, which is what seems to have happened. If you search Google using the terms “ + ‘from card,'” you’ll see what appear to be a set of transactions at Starbucks, Exxon Mobile, Kroger’s and other stores. Many of them are in Michigan and many of them appear to be from a single credit card.

To be clear, there are only 196 results for that search query. But Blippy has yet to speak up for itself, more than three hours after VentureBeat’s Owen Thomas tweeted about it, and in the meantime “Blippy Users’ Credit” has become a trending topic on Twitter. Blippy’s privacy page promises to tell users of security breaches “in the most expedient time possible and without unreasonable delay.”

Update: Blippy founder Philip Kaplan has now posted on the company blog and spoken to at least one reporter about the breach. He said the credit card numbers shared belonged to a total of four users who had been early beta testers. Blippy had since cleaned up its data but Google was still caching it.

Kaplan wrote:

We take security seriously and want to assure Blippy users that this was an isolated incident from many months ago in our beta test, and doesn’t affect current users.

While it looks super-scary and certainly sucks for those few people who were affected, and is embarrassing to us, it’s a lot less bad than it looks.

He gave further detail to the New York Times,

Mr. Kaplan said that early on, Blippy started disguising the raw transaction data behind the scenes, but it did not know about the breach until today. He added, “This still looks pretty bad.”

Blippy is a brand-new startup that just raised $11.2 million in new funding at a valuation of $46.2 million — and yesterday was the recipient of a New York Times writeup about the new age of personal information sharing online. What the company doesn’t need is the perception that it’s cavalier with user data. A little breach goes a long way against user trust — and the service is on the hook for a lot of growth to live up to that new funding.

11 Responses to “Blippy Caught in Apparent User Privacy Breach”

  1. I still do not understand this service. Why in the world would I want to share with anyone what I purchased? Why would I care what a friend of mine purchased? We want to share things with other people online, but this is taking things way too far. This site will never really catch on with mainstream users.

  2. This made me curious about the whole space to see who else is in the game. Liz – would be good to see an article highlighting other players. Kaboodle, ShopSocially, etc.

  3. Blippy should be glad about the $11m funding they received. At least they will be able to pay out all the users when they get sued. Will these payouts be posted on Blippy too? If not, hopefully they will have enough money left to post that last coffee shop purchase..

  4. I ‘deleted’ my account there as soon as I heard this news. Not only does this “look bad” but it really IS bad, at least for the future success of Blippy.

  5. Merchants should never be handling, processing and storing raw credit card data. There are plenty of solutions in the marketplace that allow merchants to accept credit card payments and remotely store the data for recurring or future purposes. Having the data pass through a merchant environment or trying to securely store it is expensive, risky and unnecessary.