The statement also details that just four credit card numbers were exposed as the result of "an isolated incident from many months ago in our beta test" and that current users have not been affected.
Here's how Blippy describes the chain of events that led to the appearance of credit card numbers in search results:
Say you buy lunch at Quiznos. Your credit card statement shows a complex entry like "Quiznos Inc Store #1234 San Francisco." But Blippy cleans this up to only show 'Quiznos.' We refer to these as the "raw data" vs the "cleaned up data."
Raw data is typically harmless. But it turns out that some credit cards (four out of thousands in this case) show the credit card number in the raw data. For example, "Quiznos Inc Store #1234 from card 4444...."
Many months ago when we were first building Blippy, some raw (not cleaned up, but typically harmless) data could be viewed in the HTML source of a Blippy web page. The average user would see nothing, but a determined person could see "raw" line items. Still, this was mostly harmless -- stuff like store numbers and such. And it was all removed and fixed quickly.
Enter Google's cache. Turns out Google indexed some of this HTML, even though it wasn't visible on the Blippy website. And exposed four credit card numbers (but a scary 196 search results).
We're working with Google now to remove Blippy from their cache, and they inform us it will be completed within a couple of hours.
Blippy also promises to take additional measures to up their third-party security checks and to be more careful in the future.
Nonetheless, given the already wary attitude of web denizens when it comes to sharing this type of confidential information, we're not confident that this explanation will do much to calm the fears associated with handing over credit cards or banking information to the now blemished site.
Update: Google is working to no longer show the snippets for the cached Blippy links.