Blippy wants you to share news of your purchases with your friends. But now the company has to reassure users it isn't sharing more-delicate personal financial details with Google.
The budding Web start-up, which lets its users automatically post credit-card purchase data to a supposedly password-protected, Twitter-esque profile, was featured on the front page of the New York Times on Friday, April 23, only to have its press coup derailed later that afternoon when several users' credit-card numbers were discovered embedded in Google search results.
"The emotions we went through were pretty crazy this weekend," says co-founder Ashvin Kumar. "It was the worst possible thing that could happen for a small company like ours."
Though the information leak was small, it was detailed, including users' full credit-card numbers as well as the amounts and locations of purchases. More concerning still: this information was publicly available through a Google search anyone could run, without the help of any specialized tools or technical skills. Simply searching through Google's collection of Blippy search results for the phrase "from card" was enough to reveal the compromised data.
It was clearly a big problem for the small but growing website. Convincing skeptical users that there's value in sharing info about their financial transactions with their friends is challenging enough, issues of trust aside. "[Our] whole focus is trying to make a safe, secure and fun environment to feel comfortable sharing this information," Kumar says.
To salvage its reputation, Kumar says, the company moved fast, working with Google to get the search results removed and to make sure the problem was isolated. In a blog post, Blippy says the info was inadvertently exposed for up to eight users because of a brief coding problem in February (Google ran its search crawler during this period, inadvertently indexing the user data uncovered Friday). But it says existing users are no longer at risk of having their financial details wind up somewhere in Google's search results.
While there was a predictable outcry from some users exacerbated by the fact that Blippy's interface made it difficult to remove an account entirely, a problem the service also had to fix Kumar says there was no mass exodus and that Blippy's user base has actually grown since the first stories about the leak appeared. "I don't want to say any press is good press, because it certainly isn't in this case," Kumar says. "But we've seen a net uptick [in users]."
To make sure the latest security breach remains, well, a blip on Blippy's record, Kumar says the company plans to hire a chief security pfficer (a position entirely lacked previously) and to conduct third-party audits of its information system to make sure further leaks aren't possible. It's an important step at a crucial time: on April 22, Blippy announced it had raised $11.2 million in its latest round of funding, an impressive number for a start-up less than a year old. Assuming the company can keep its user data under lock and key and that the appetite for online oversharing continues unabated Blippy still has a chance to craft a legacy beyond this latest mishap.