Blippy / The Blippy Blog

It has been a rocky weekend for Blippy. The weekend began with a front page article in the New York Times announcing our Series A financing. The elation didn’t last long. A few hours later, reports surfaced about the discovery of credit card numbers within Google’s cached search results. Our mood quickly went from elation to disbelief to disappointment. We are very sorry.

However, this is a very serious issue and simply apologizing is not enough. We’ve spent the last 48 hours working around the clock to dissect the issues, reach out to affected users, and put together a plan to ensure this never happens again.

1. In early February, due to a technical oversight on our part, some raw transaction data appeared within the HTML code on some Blippy pages for about half a day. Raw transaction data is the messy one-line sentence that appears on a bank or credit card statement. For example, if you buy lunch from Quiznos, your credit card statement might display the raw transaction data as “Quiznos Inc Store #1234 San Francisco”. Blippy tries to clean this data so it appears as simply “Quiznos”.
2. Up until that day in early February, based on the raw transaction data we had observed during our beta period, we incorrectly considered raw data fairly harmless. It typically is. However, during that half day period of exposure, we were informed that raw transaction data sometimes contains airline confirmation numbers, which in combination with a user’s last name could be used to check someone into a flight. As we have always strived to be highly attentive to potential security and privacy problems, we quickly patched the issue and took extra precautions to never ever expose raw transaction data again.
3. What we did not realize until Friday morning was the fact that in that half day period, Google had crawled and indexed a portion of Blippy’s pages. Even though the sensitive information was hidden in the HTML and not visible in plain view, the Google crawler observed it and recorded the information to put into its search index. Google effectively took a snapshot of Blippy during that half day period. Though our site has changed considerably since early February, Google’s snapshot of these pages did not update, which effectively extended a half day exposure into a three month exposure. While Google provides webmasters with tools to remove pages from its index, we overlooked the fact that Blippy could have been crawled by Google during the period of the exposure.
4. Naturally, when users learned of the issue this weekend, some wanted to disconnect their credit card accounts or delete their entire user account. At the same time, Blippy’s servers had been under increased load due to the media attention. This resulted in many failed requests to delete accounts because we had not invested sufficiently in making our account deletion process as programatically efficient as it could be.

1. We spent Friday simultaneously trying to understand (a) what had led to sensitive information appearing on Google, and (b) working with Google to remove the search snippets and search results on Google for the discovered cards. Google removed these 200 or so URLs promptly.
2. On Saturday morning, upon the discovery of an additional card, we requested Google remove all snippets and cached pages related to Blippy. This affected some 20,000 pages, much more than what was exposed, but more importantly it effectively removed any remaining sensitive information. Many thanks to Google for their responsiveness. The manner and speed at which they operated was extremely impressive.
3. While we are pleased that the sensitive data is no longer accessible via Google, it is important to acknowledge that there was a period of nearly 3 months during which this data was publicly accessible. To this end, as I mentioned in my previous update, our team looked at all of the data published to our service during that time period, in an effort to identify the extent to which information may have been accessible to the public via Google. We were extremely conservative in viewing the data for potential exposure (even if we were unable to confirm that such exposure had taken place). As a result, we reached out to a total of eight individuals.
4. We also fixed the errors associated with the deletion of credit card accounts and user accounts.

We have now reached out to all affected users, notified them of the issue, and expressed our sincere remorse. We will be working with these users to assist them in resolving any issues that may arise out of this unfortunate situation. They trusted us with their information, and we are truly disappointed to have let them down. While these users reflect a tiny sliver of our user base, any number greater than zero is deeply unacceptable to us. We’ve built Blippy — and will continue to build Blippy — on the foundation of our community and the trust they place in us to create a safe, secure, and fun experience to share purchases.

After reaching a resolution, we spent today working on a go-forward plan to ensure that this never happens again.

1. Hire a Chief Security Officer and associated staff that will focus solely on issues relating to information security.
2. Have regular 3rd-party infrastructure & application security audits.
3. Continue to invest in systems to aggressively filter out sensitive information.
4. Control caching of information in search engines.
5. Create a security and privacy center that contains information about what we are doing to protect you.

The security of our users is our highest priority. If there are additional measures you would like us to take to improve Blippy’s security, please do not hesitate to email us at hello@blippy.com. We will personally respond to each and every recommendation.

We deeply regret what happened and are working tirelessly to regain the trust of our community. Thank you for reading.

Sincerely,

Today someone discovered a Google search that displays the credit card numbers of 4 Blippy users.

Blippy sincerely apologizes to those 4 users and we have reached out to them.  We will do what it takes to ensure that they are minimally affected.

The credit card numbers are appearing in Google.com’s cache from 2 months ago, and never appeared on Blippy (more on that below).  As such, we’ve reached out to Google and are confident that they will act as quickly as possible to remove the credit card numbers from their servers. (Update: Google has successfully removed the numbers from their cache)

We are serious about security and want to assure Blippy users that this was an isolated incident from many months ago in our beta test, and doesn’t affect current users.  Also, this was not the result of a hack or security breach to our servers.

Here are the details:

We take this very seriously and are deeply sorry for the extreme inconvenience we caused to the 4 affected users.  We will help make sure they are minimally affected.

In general, it’s important to remember that you’re never responsible if someone uses your credit card without your permission. That’s why it’s okay to hand your credit card over to waiters, store clerks, e-commerce sites, and hundreds of other people who all have access to your credit card numbers. Still, this should have never happened and we take responsibility.

We are hugely focused on security and are making efforts to bolster our security to ensure that nothing like this ever happens again. We recently raised $11.2 million from investors and are using a significant amount of that to build a world-class, secure infrastructure. We are also conducting third-party security audits, and will be a lot more careful before new features are released, even if it’s during a small, limited beta test period.

Contact us for any reason at hello@blippy.com

Thank you for reading.