Blippy And Credit Card Numbers - Official Blippy Blog

<i>We take security seriously and want to assure Blippy users that this was an isolated incident from many months ago in our beta test, and doesn't affect current users.<p>While it looks super-scary and certainly sucks for those few people who were affected, and is embarrassing to us, it's a lot less bad than it looks.</i><p>This could have been phrased a bit better to include an actual apology. It's pretty easy to do: "Several months ago Blippy's limited beta test leaked data about four customers, including their credit card numbers. That is totally our fault. We have apologized to those four customers personally and have taken steps to make sure it cannot happen again. The site currently does not leak data, but those four customers' numbers are still visible on Google searches. We are working with Google to correct this and expect it to be resolved in a few hours.<p>Here are the improvements Blippy has made to deserve our customers' trust:"<p>[Edited to add:<p>The Japanese salaryman in me would suggest that the CEO sign this post. Phrasing might include "This was ultimately a failure of our internal quality controls, because it should have been caught several times before this data was exposed publicly. I take full responsibility for the lapse and have begun..."]

Yeah, I don't know. My lizard brain wants to see them writhing on the ground pleading for mercy, but the teeny tiny rational part of my brain wonders what I expected them to say instead of this.<p>If you get past your expectations about their attitude, they are being pretty forthright about what actually happened; in many more contrite disclosures, you don't get this level of detail. I appreciate the detail.<p>I'd like to see something other than the standard "now we're getting third-party security audits" platitudes. For instance, I'd like to know that they have a software security person <i>on staff</i> now, since they're clearly dealing with credit card information that they don't fully understand.

<i>sucks for those few people who were affected</i><p>Pretty much guarantees I'll never use this site.

Their anonymously-signed blog post doesn't engender much confidence in them as a company. Except that they try hard to protect their own identity.

Either you want businesses to communicate with the public like normal human beings or you can complain and nitpick their statements for not being perfectly phrased. Not both.<p>I'm glad they candidly told us about what went wrong. There's an important lesson to remember about how everything put on the web can be indexed and stored even if it was only up for a short time.

Wow, I would have thought they would have at least made a motion to apologize. Instead they've basically said "hey, this isn't a big deal, stop complaining".

If the onus is soon going to be on the user having to explain why he sees a problem with his private details being shown to the whole world, there are going to be lots of problems and incidents which people are in no way ready for.

I was chatting with someone about the language used in a lot of these apologies. This has come up in a lot of issues - like in the Justin.tv suicide case.<p>I think companies fear legal repercussions. If you use certain words, you might be taking blame onto yourself in a legal sense and might have someone use that against you in a lawsuit.<p>I'm not sure about this incident but I definitely sensed that was the issue with the Justin.tv apology.

Sorry, but this blog post indicates that Blippy is in no way serious about security. Blippy handled sensitive data (credit card numbers) in a highly insecure fashion, and rather than treating it like a full-scale emergency, which it is, regardless of the number of people affected, we get this "hey, it's no big deal" blog post.<p>What other massive security mistakes are lying around in their codebase? Why does this sort of reply give me absolutely no faith that they'll deal with those problems seriously when/if they arise?

Their response is totally fine and in proportion to the actual harm done.

Everyone and every company makes mistakes, so it's not a matter of whether or not you screw up (because you will), but rather how will you deal with it when it happens. I think Blippy dealt with it pretty well.<p>Having said that: I think Blippy was a dumb idea to begin with, and this dumb mistake may have been the final nail in the $11-million-Series-A-funded coffin.

now that this whole thing has blown over, i'd love to hear from someone at blippy regarding how this affected their subscriber count. i have a feeling it went up today despite the negative press.

Hint for the future: if you're processing raw data that could include credit card #s, filter out 16-digit sequences as a whole.

"That's why it's okay to hand your credit card over to waiters, store clerks, and hundreds of other people who all have access to your credit card numbers."<p>I don't like this attitude. Anyway who cares when you have $11.2 million funding

all publicity is good publicity.

u guys are being too hard on them. Shit happens. Even serious shit. I feel like they are being accountable and honest.