Google Search Revealed Blippy Credit Card Numbers

eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Four users of the social networking site Blippy.com had an unwelcome surprise April 23 when it was discovered that a Google search turned up their credit card information.

Blippy.com provides a way for people to post information about their shopping habits-what they buy, how much they spend-to share with friends. The data leak was the residual effect of a situation uncovered months ago in a beta test, the company said.

Before the situation was fixed, a Google search exposed four credit card numbers used for purchases at locations including Exxon Mobil and Starbucks.

Blippy explained in a statement that when the company was first building the site, some raw data could be viewed in the HTML source of a Blippy Web page. Most of the information was nonsensitive data such as store numbers, and it all was removed and the issue was fixed quickly, the company said.

“Turns out Google indexed some of this HTML, even though it wasn’t ever visible on the Blippy Website, and was removed from the HTML code months ago. Which exposed four credit card numbers (but a scary 196 search results),” Blippy co-founder Philip Kaplan said in the statement.

“We are hugely focused on security and are making efforts to bolster our security to ensure that nothing like this ever happens again,” Kaplan said, adding, “We are also conducting third-party security audits, and will be a lot more careful before new features are released, even if it’s during a small, limited beta test period.”

A spokesperson for Google said the company first learned about the situation around 9 a.m. PT. The numbers became discoverable in Google search snippets as part of the search engine’s normal crawling and indexing processes, he said.

“Blippy contacted us and we took special measures to remove the numbers from search results,” the Google spokesperson said. “We fixed the problem by 11:20 a.m. Pacific and the numbers should no longer be discoverable in search.”