Maybe all press is good press?

When reports surfaced that the young website Blippy had accidentally leaked the credit card numbers of five of its users online, some tech writers speculated that the startup would not be able to bounce back from the bad PR.

But the website's numbers tell a different story, according to the company's CEO, Ashvin Kumar.

Blippy - a Twitter-style website where people share details about their credit card purchases - had more users on Monday than it did on Friday morning before news of the security mishap hit, Blippy CEO Ashvin Kumar said in a phone interview on Monday.

Kumar declined to cite specific figures, but said some people have left the site because of its security issues; meanwhile, others have joined, ostensibly because of press surrounding the incident, or because of a front page story in the New York Times on Friday morning, which was published before the security troubles came to light, he said.

"We’re certainly net positive, meaning the number of users that signed up was greater than the number who deleted their accounts," he said by phone.

Kumar said Blippy is taking the security breach seriously.

"This is like the worst thing that could happen to us," he said. "This is very bad for us."

He added: "The safety and the security of our users is our number one priority every day. Every day we come to work just obsessing over how to build a better experience for our users, and the security of our users is the most important part of that."

Blippy has been in contact with eight people who may have had sensitive financial information posted in Google search results though Blippy, Kumar said. As of 7 p.m. ET on Monday, Kumar said he was not aware of any affected users who had experienced theft because of the postings.

He also said Blippy's funding was not affected by the security incident. On Friday, the New York Times reported the company recently received an $11 million investment.

Check out this previous blog post for details on new security measures Blippy is implementing.

Filed under: Blippy • Security

Blippy wants to get your trust back - but is it too late?

After an incident last week in which at least five Blippy users' credit card numbers were made public "due to a technical oversight," the website's CEO said Monday that he is enacting security measures to keep that from happening again.

Blippy CEO Ashvin Kumar writes in a blog post that he expressed "sincere remorse" to eight of the site's users whose sensitive information may have been compromised.

He plans to keep that from happening again; he says Blippy will:

1. Hire a chief security officer and associated staff that will focus solely on issues relating to information security.
2. Have regular 3rd-party infrastructure & application security audits.
3. Continue to invest in systems to aggressively filter out sensitive information.
4. Control caching of information in search engines.
5. Create a security and privacy center that contains information about what we are doing to protect you.

Kumar's post asks users with security concerns to e-mail suggestions to hello@blippy.com. "We will personally respond to each and every recommendation," he writes.

Blippy is a Twitter-like service that lets people post online about what they're buying. Users can hook up certain credit cards to Blippy.com, and each time they make a purchase, the site will inform the person's followers about what they bought and how much it the person paid for it.

For a half-day in February, the site posted raw data about these purchases, which, in some instances, contained sensitive information like credit card numbers or airline confirmation numbers, the blog post says.

When Blippy noticed the error, it tried to remove the sensitive raw data, but some of it remained in Google's search results until it was discovered Friday by the tech site VentureBeat, the blog says.

Kumar writes that some Blippy users have been deleting credit card information and entire accounts from the site in the wake of the security incident. He did not say how many people have left the site but apologized for the fact that some of the removal requests were not acted on because of the frenzy surrounding the security incident.

He apologized to people who use the site.

"They trusted us with their information, and we are truly disappointed to have let them down," he writes. "While these users reflect a tiny sliver of our user base, any number greater than zero is deeply unacceptable to us. We’ve built Blippy — and will continue to build Blippy — on the foundation of our community and the trust they place in us to create a safe, secure, and fun experience to share purchases."

Since Blippy relies on users handing over financial information to the site, trust is a key component of Blippy's business.

So the real question is this: In light of the security mishap and this response, would you trust Blippy with your credit card info?

Posted by: John D. Sutter -- CNN.com writer/producer
Filed under: Blippy • Security

Whole Foods Market and Facebook are warning users that a fan page claiming to offer $500 in free groceries at the health food chain is a scam.

Austin, Texas-based Whole foods said on its official Facebook page that the scam first cropped up on Thursday, and is an effort to steal people’s personal data.

The page offers fans a sign-up sheet for the supposed giveaway, which both installs malware on the user’s computer and fishes for credit and other financial information.

“Dear Fans, Please be wary of Facebook Pages offering you $500 Whole Foods Gift Cards. We only run giveaways and promotions on this Facebook Page and our stores' Pages,” read the post, dated April 2. “We have reported these to Facebook, and you can report these fraudulent Pages by clicking the "Report Page" link on the bottom of the left column on the left column of the Wall view.”

A page that was used in the Whole Foods scam appeared to be gone Tuesday morning. A search for “Whole Foods” and “$500” only revealed a small group warning people about the scam.

But Whole Foods said the pages were first noticed on Thursday and that new ones have been popping up as soon as old pages were taken down.

A spokesperson for Facebook said the social-networking site takes such scams seriously.

“Protecting the people who use Facebook from spam and scams is a top priority for us,” the spokesperson said Tuesday in a written statement. “Groups and Pages that attempt to trick people into taking a certain action or spamming their friends with invites violate our policies, and we have a large team of professional investigators who quickly remove these when we detect them or they're reported to us by our users.

By becoming a fan of Facebook’s security page, which has nearly 1.7 million fans, users can get updates on the threats that inevitably will pop up from time to time on a site with more than 400 million users.

Posted by: Doug Gross -- CNN.com producer
Filed under: Facebook • Hoaxes • Security • virus

Some news from Twitter this week could leave you with the impression that spam is becoming a dinosaur of the Web.

As of February, slightly less than 1 percent of posts on the micro-blogging site were unwanted spam, according to a blog written by Twitter's chief scientist, Abdur Chowdhury.

Not too long ago, spam was more rampant on the site, according to an info-graphic published by Twitter. In August of 2009, for example, nearly 11 percent of all Twitter posts were spam.

So, maybe this means we're getting past the era of computer-generated messages and malicious and trickster ads?

A look at the broader picture reveals we're not even close.

A whopping 9 out of 10 e-mail messages are still unsolicited, according to this helpful chart (.pdf) published by New Scientist.

The chart shows a number of fluctuations over the years, but an overall increase in spam since late 2006, when hackers started developing "botnets" of "zombie computers" that can send spam and malicious software out for them.

In June 2009, the average e-mail account received more than 100 spam messages per day, according to the chart.

A recent 3,000-person e-mail survey found nearly half of people continue to click on these messages, even if they know spam is a problem, The Toronto Sun reports.

And there's some evidence that social networks, like Twitter and Facebook, are "easy targets" for spammers. Sophos' "Security Threat Report: 2010," released in January, says online social networks are becoming a bigger part of Internet users' lives, so it's only natural that they would be big targets for spammers, too. (via CNET)

"Spam is now common on social networking sites, and social engineering—trying to trick users to reveal vital data, or persuading people to visit dangerous web links—is on the rise," the report says. (full report: PDF)

The U.S. Department of Homeland Security has a Web page with tips for how people can reduce and avoid spam, but the agency acknowledges that "you will probably not be able to eliminate it." Among its more-helpful tips: Create an extra e-mail account that you use to sign up for mailing lists and register for Web sites; and don't let your e-mail account automatically download image attachments for you, since those can identify your account to spammers.

Security experts also recommend people create new passwords for all of the Web sites they register with.

Twitter has posted a number of tips for reducing spam on its site, too. Among them: Report spam messages by sending a note to the Twitter's @spam account; or select the "report for spam" option from a drop-down menu on a problematic Twitter account's page (the menu is hidden behind an icon that looks like a gear wheel).

Do you get more spam than you used to? What's the funniest spam message you've ever gotten?

Posted by: John D. Sutter -- CNN.com writer/producer
Filed under: Security • spam • technology • Twitter

The man accused of cracking a Twitter database and peeking at the Twitter accounts of Barack Obama and Britney Spears said this week that he didn't mean harm, according to a French TV station.

He aimed to prove Twitter is vulnerable to attack.

"I'm not a hacker, or rather, I'm a nice hacker," he said, according to the France 3 station. (via AP)

The man, who is known by the nickname "Hacker Croll," is accused of stealing confidential documents from Twitter employees, and of looking in on the Twitter accounts of the U.S. president and celebrities, according to news reports. He was arrested on Tuesday by French police in cooperation with the U.S. Federal Bureau of Investigation. If convicted of hacking into a database, he could face up to two years in jail, according to the Agence-France Presse news agency.

The ordeal caught the public's attention in July, when a man calling himself Hacker Croll sent confidential documents from Twitter employees to the technology blog TechCrunch, which decided to publish some of the stolen documents.

What do you think about Hacker Croll's statement? Is there anything laudable about breaking into a system to uncover its faults? Can a person actually be a "good hacker?" Let us know in the comments section.

Posted by: John D. Sutter -- CNN.com writer/producer
Filed under: hacking • piracy • Security • technology • Twitter

Facebook has responded to a an apparently massive attempt to steal passwords from its users.

"There's another spoofed email going around that claims to be from Facebook and asks you to open an attachment to receive a new password," read a post on the Facebook Security page. "This email is fake. Delete it from your inbox, and warn your friends."

Facebook will never send users a new password in an attachment, the post says.

The messages claim to be from Facebook, with a return address that looks legitimate. A message sent twice to a CNN.com staffer reads:

Hey [user's name],

Because of the measures taken to provide safety to our clients, your password has been changed. You can find your new password in attached document.

Thanks,
The Facebook Team.

McAfee security warned users in a blog post Wednesday that the link is a password stealer that becomes active when the user clicks on it. Once installed, malicious software, or malware, could potentially access all username and password information used on a computer, not just on Facebook, the post said.

Reports suggest the scheme continued to spread on Friday.

McAfee and Facebook urged users to not open the attachment and immediately delete the message, if up-to-date security software programs don't catch the message first.

Posted by: Doug Gross -- CNN.com producer
Filed under: Facebook • Security

The new "Twilight" vampire movie, due out Friday, is already sinking its teeth into the Web audience.

But searchers beware. Some online downloads for "The Twilight Saga: New Moon" and video interviews with cast members may not be what they seem. They could carry computer viruses.

This news comes from a computer security company, PC Tools, which says in a news release that a handful of search terms and links should make fans and would-be movie pirates suspicious. Among the phrases to watch out for: "Watch New Moon Full Movie," "streamviewer," and "Stephenie Meyer at 365Multimedia.com."

Yahoo explains further:

365Multimedia.com doesn't actually host interviews (it's a desktop background and screensaver website), and the link in question doesn't actually go there either. Instead, users are directed to a malicious website that takes that age-old scareware path: A pop-up alerts users that they are infected with some sort of malware, and then directs them to a download site so they can get a phony antivirus software product to remedy the issue.

365Multimedia could not be reached immediately for comment. Visitors to the site aren't at risk of getting their machines infected.

Scammers have been preying in recent years on the online popularity of news events and pop culture. When a topic like "Twilight" gets hot online, virus engineers use popular search terms to get more clicks and thus infect more machines.

Of course, you also could take the "Twilight" virus idea figuratively.

As one of the film's actors, Robert Pattinson, told The Boston Globe, "I don't know how, it [the "Twilight" series]  just explodes so quickly. It takes seven months to take hold – it's like a virus."

Posted by: John D. Sutter -- CNN.com writer/producer
Filed under: pop culture • Security • virus

[cnn-photo-caption image=http://i2.cdn.turner.com/cnn/2009/images/03/10/beckstrom.jpg caption="Rod Beckstrom, head of the NCSC, resigned last week."]

There's a bureaucratic wrestling match going on over which piece of the federal government will get to handle cybersecurity.

Here's the gist, gleaned from Wired and Forbes' coverage: On one side of the ring, there's the National Security Agency, which is known for its extreme secrecy and its program to wiretap phone conversations of Americans.

On the other, there's the Department of Homeland Security, which now manages computer security. The head of the department's computer security branch resigned last week, complaining that the NSA is trying to steal control of the program.

In his resignation letter to the Department of Homeland Security and in an interview with Forbes on Monday, Rod Beckstrom said consolidating the cybersecurity program under the NSA would put too much power in one agency's hands. Privacy groups are concerned about the NSA taking over the program because of how it handled secret wiretaps of phone conversations.

But the idea does have support. Director of National Intelligence Admiral Dennis Blair told Congress that the NSA should be in charge rather than Homeland Security.

Cybersecurity is a huge issue - especially since technology is often outpacing our ability to understand all of the implications. Many people want to see a solution that improves security without chilling innovation and openness on the Internet - or infringing on privacy. Others see most any attempt at increased security to be needed.

This post is just a primer, so please weigh in on this issue in the comments. How far should government go to make our computers secure? And which agency should handle that?

Also, check out these cybersecurity tips from Homeland Security.

Posted by: Cody McCloy
Filed under: Internet • Security