Bitly urges users to secure accounts after security breach

Bitly is urging users to secure their accounts after breaching data through an employee's compromised account

Link-shortening service Bitly is urging users to secure their accounts after hackers breached its systems through a compromised employee account.

At the weekend, Bitly emailed users to ensure they followed the steps recommended on Friday 9 May 2014, after initial reports of a suspected security breach.

The service wants all users to change their API keys and OAuth tokens, reset their passwords and reconnect their Facebook and Twitter accounts.

According to chief technology officer Rob Platzer, Bitly’s security team learned of a possible compromise of Bitly user credentials from the security team of another technology company on 8 May 2014.

The service immediately began operating under the assumption it had a breach and started the search for all possible compromise vectors.

The security team found there had been no external connections to the production user database, nor had there been any unauthorised access of its production network or servers.

But an unusually high amount of traffic from Bitly’s offsite database backup storage led the company to assume it had been compromised and initiate its incident-response plan.

Compromised employee account

Read more about insider compromise

As part of that response, Bitly audited the security history for its hosted source code repository, that contains the credentials for access to the offsite database backup storage.

This led to the discovery of unauthorised access to an employee’s account.

The service said it assumed hashed passwords were exposed, but plain text passwords were not because all passwords are salted and hashed.

“If you registered, logged in or changed your password after 8 January 2014, your password was converted to be hashed with BCrypt and HMAC using a unique salt. Before that, it was salted MD5,” Platzer wrote in a blog post.

Bitly's security progress

Bitly immediately enabled two-factor authentication for all accounts on the source-code repository and began securing the system against additional vulnerabilities.

The service emphasised that no Bitlinks were affected or changed because the production database was never compromised, nor was there any unauthorised access to its production network or environment.

According to the service’s latest update, there are a number of projects remaining to add layers of security.

However, Bitly said that since the breach it had:

  • Invalidated all Twitter and Facebook credentials;
  • Rotated all credentials for its offsite storage systems;
  • Enabled detailed logging on our offsite storage systems;
  • Rotated all SSL certificates;
  • Reset credentials used for code deployment;
  • Enabled GNU Privacy Guard encryption of all sensitive credentials;
  • Enforced two-factor authentication on all 3rd party services company-wide;
  • Accelerated work to support two-factor authentication for;
  • Accelerated development for email confirmation of password changes;
  • Added additional audit details to user security pages;
  • Enabled detailed logging on our offsite storage systems;
  • Updated the Bitly iPhone App to support updated OAuth tokens.


Read more on Privacy and data protection