What is Blippy?
Blippy is a "social buying" website that allows its users to broadcast their online credit card transactions. Billed "the financial version of Twitter," Blippy automatically posts "blips" that allow others to see what you bought, where you bought it, and how much you spent. 1
The Blippy Security Breach
On April 23, 2010, it was announced that the credit card numbers linked to 127 purchases had been leaked to public access through a Google search. The 127 transactions were made by a total of four Blippy users. 2 It was later revealed that as many as eight users' sensitive information had been made public. 3
Philip Kaplan, Blippy's founder, apologized for the breach and gave a brief explanation of what occurred on Blippy's official blog. In his words, the breach "looks super-scary and is embarrassing to us, it's a lot less bad than it looks." 4
Kaplan said that blips are created from raw data that includes much more information than what goes on Blippy for others to see. This raw data generally includes information like the store number of the purchase, the city in which the purchase was made, and so on. Even this fairly innocuous data is cleaned up, however, before the public blip is created.
Typically, the users' credit card numbers are not included in the raw data. But for reasons Blippy did not explain, the four unlucky users whose data was leaked had their entire credit card numbers appear in the raw data. This means that while average Web surfers wouldn't see the credit card numbers, a user who was looking for sensitive data could obtain access to the raw material and thereby steal the credit card numbers from the raw HTML.
Blippy kept its users updated through its company blog and formulated a new security plan to prevent such breaches from occurring in the future. 5
Ironically, the press attention the leak gave Blippy seems to have made the site more popular. After the security breach Blippy saw an increase in users. 6
Concerns for Parents
- There are many potential problems with Blippy.com. Publishing detailed financial information for everyone to see is risky. Browsing Blippy reveals usernames, locations where users shop, and even details about what they bought in certain cases. This info could also help spammers, predators, and identity thieves track you down and victimize you.
- Blippy could help spear phishers to scam users (spear phishing is phishing that targets specific individuals). By collecting people's information, spear phishers can personalize emails that they then send in order to scam the targeted people. This would make it difficult to tell whether an email was legitimate or a scam.
- Blippy does not intentionally release your credit card number to the public (though just about every other detail of your purchase is included in a "blip"). However, security leaks have occurred, allowing other Web users to access Blippy users' credit card numbers through a Google search.
How Can I Keep My Child Safe?
- The bottom line is that Blippy is risky. Using it puts you at risk for having your information misused or stolen. Before signing up for a Blippy account, consider the benefits versus the risks and be sure the fun Blippy offers is really worth the risk it requires.
- Be aware that your financial information will be out there. Make sure that emails asking for more personal information are legitimate. Choose not to display transactions from credit cards that you don't feel comfortable with people seeing. Another precaution to consider is to create your user account on Blippy.com without using your normal email address.
- Click on "settings" near the top right corner of the screen. This will allow you to adjust your privacy settings, customizing who can see information about your purchases. This is an important step because Blippy's default setting is to make all your purchases public to any user of Blippy.
Where Can I Learn More?
Here's a news article that was written near the time of Blippy's launch in early 2010.
Read this CNN article about a Blippy security breach—it may make you think twice about using Blippy.
Here's Blippy founder Philip Kaplan's explanation of the security breach, taken from the official Blippy blog.