Blippy, the controversial site where the over-sharing, Web-connected generation can link their credit cards and share their purchases has just come under fire from numerous tech blogs as it has been discovered that people's credit card numbers are now available on Google.
The site's value has been hotly debated since its launch with some saying it's an incredible recommendation service while others say it's a privacy disaster waiting to happen. Interestingly enough, it was featured yesterday on the New York Times, where that same question was posed to readers.
Update: Blippy's Response
Blippy just posted an update on the company blog, arguing that the security breach "looks super-scary and certainly sucks for the 4 people who were affected (to whom we apologize and are contacting), and is embarrassing to us, it's a lot less bad than it looks."
You can find Blippy's full explanation here.
Thanks to a tipster who apparently emailed all the popular technology blogs (see: VentureBeat, Mashable, CenterNetworks for more coverage), there's a way to enter a simple search query into Google and get back the credit card numbers of Blippy users.
The query is: site:blippy.com +"from card"
At present, this security hole seems to be affecting Citibank-issued MasterCard numbers only, according to the bloggers at VentureBeat.
Blippy proponents will likely argue that the mistake, although quite a large one, was caught in time before major damage could be done. It's doubtful that any identity thieves have been able to retrieve these credit card numbers quickly enough to cause harm to those affected.
However, the users whose credit card info has been compromised will now have to cancel their cards and be issued new ones - a hassle to say the least. Was the benefit of using Blippy worth it? What if this security hole was only discovered by criminals and not a white-hat hacker-type like the guy who contacted us?
We've argued before that people should definitely weigh the risks to their privacy before using services like Blippy, especially since you're not just sharing info from one private credit card account, you're aggregating all of them. If Blippy's infrastructure was compromised, hackers could get all your credit card info and the usernames and passwords you use across the Web, too. (Probably the same one you use everywhere, if you're like most people).
If that risk is acceptable to you, then by all means, share away. You might find it interesting to see what others have shared too. But when something like this happens, don't be surprised. Nothing put on the Web is ever really private - as this breach clearly shows.