Blippy users' credit cards exposed

Consumer Reports News: April 26, 2010 02:29 PM

Find Ratings

Computers

If you've ever wondered why you'd want to publish your every move with a credit card on Blippy, here's a reason not to do so: Earlier this year, the credit-card numbers of several Blippy users were inadvertently exposed on the Web and, because Google had taken a snapshot of that page, the numbers were public for a full three months.

Blippy has been described as a social shopping network, and even a "social over-sharing site." When you use Blippy, you link it to your accounts, such as Amazon, Netflix, and iTunes. When you make purchases, Blippy automatically updates your page with info about what you purchased, from where, and for how much.

In its blog on the incident, Blippy describes how raw transaction data appeared on its site for a half day in February and Google crawled the site and took a snapshot that included the HTML code with that data, plus how a search of that code would have revealed the credit-card numbers of several Blippy users.

There's an irony to the Blippy story: Just a day before it broke, the New York Times had run a front-page story, titled "For Web's New Wave, Sharing Details Is the Point," describing the dangers and appeal of Blippy and its kin. The Times mentioned that Blippy had just received $11.2 million in venture capital funding.

The breached data has since been removed by Google, and Blippy's blog outlines steps the company is taking to decrease the chances of such problems recurring, including hiring a chief security officer. It's hard to believe the company hadn't done that on day one.

Meanwhile, there are no obvious notices on Blippy's main site about the incident. The only way to get information is by going to the site's blog.

You should always use caution when submitting personal info online. Here's our advice on protecting yourself from identity theft.

—Donna Tapellini