Bitly compromised, change your password immediately

0
163

Nowadays if you include the URL of a webpage in your tweet, the space occupied by the link shortens on its own. There was a time when one needed sites like Bitly or TinyURL to do this and save space that could be used for longer messages. Despite the automatic facility available now, many users who had given the likes of Bitly access to their Twitter handles did not care to revoke the access. It is time they did.

Link-shortening and tracking tool Bitly has urged users to reset their passwords amid a security scare that surfaced late Thursday night. “We have reason to believe that Bitly account credentials have been compromised,” Bitly CEO Mark Josephson said in an official blog post. “We have no indication at this time that any accounts have been accessed without permission.”

The warning from the facility appeared in its website as follows:

We have reason to believe that Bitly account credentials have been compromised; specifically, users’ email addresses, encrypted passwords, API keys and OAuth tokens. We have no indication at this time that any accounts have been accessed without permission. We have taken steps to ensure the security of all accounts, including disconnecting all users’ Facebook and Twitter accounts. All users can safely reconnect these accounts at their next login.
We are recommending all Bitly users make these changes. Please take the following steps to secure your account: change your API key and OAuth token, reset your password, and reconnect your Facebook and Twitter accounts.
We invalidated all credentials within Facebook and Twitter. Although users may see their Facebook and Twitter accounts connected to their Bitly account, it is not possible to publish to these accounts until users reconnect their Facebook and Twitter profiles.
Following are step-by-step instructions to reset your API key and OAuth token:
1.    Log in to your account and click on “Your Settings,” then the “Advanced” tab.
2.    At the bottom of the “Advanced” tab, select “Reset” next to “Legacy API key.
3.    Copy down your new API key and change it in all applications. These can include social publishers, share buttons and mobile apps.
4.    Go to the “profile” tab and reset your password.
5.    Disconnect and reconnect any applications that use Bitly. You can check which accounts are connected under the “Connected Accounts” tab in “Your Settings.”
We have already taken proactive measures to secure all paths that led to the compromise and ensure the security of all user data going forward.
If you’re experiencing any trouble with the Bitly iPhone app, please update to the latest version found here.  We have expedited an update to address any issues.
If you have account-specific questions, you can reach us at support@bitly.com.
We take your security and trust in us seriously. The team has been working hard to ensure all accounts are secure.  We apologize for any inconvenience and we will continue to update our Twitter feed, @Bitly, as we have any further updates.
Thank you.
Mark Josephson
CEO, Bitly

The news comes just two months after Bitly suffered a distributed denial-of-service (DDoS) attack. On 9 and 10 May, it issued the following warnings via Twitter:

As a precautionary measure, the service has disconnected all users’ Facebook and Twitter accounts that were synced to Bitly accounts. “All users can safely reconnect these accounts at their next login,” he added. This is notwithstanding the fact that Facebook did not suffer from a space constraint like Twitter; Facebook also transforms a link into a thumbnail after which you can remove the HTML code you had pasted in your status update, and, hence, less users of the former needed a Bitly-like facility.

Facebook and Twitter use the login-proxy service OAuth to extend their authentication credentials to Bitly, so Bitly’s servers don’t store the actual passwords to accounts on those services. However, an attacker who got the OAuth tokens could still use them to access Facebook or Twitter accounts, at least temporarily.

Bitly said it was looking into the issue and had taken “proactive measures to secure all paths that led to the compromise and ensure the security of all account credentials going forward”.

A more detailed warning was issued soon after the first. It is as follows:

While we continue working through our response to the compromise we reported yesterday, we wanted to provide some more insight into the question of how this happened and what we have done to ensure security going forward.
Early Thursday morning, the Bitly security team learned of the potential compromise of Bitly user credentials from the security team of another technology company. We immediately began operating under the assumption that we had a breach and started the search for all possible compromise vectors.
Over the course of the next few hours, the Security Team determined with a high degree of confidence that there had been no external connections to our production user database or any unauthorized access of our production network or servers. They observed that we had an unusually high amount of traffic originating from our offsite database backup storage that was not initiated by Bitly. At this point, it was clear that the best path forward was to assume the user database was compromised and immediately initiate our response plan, which included steps to protect our users’ connected Facebook and Twitter accounts.
We audited the security history for our hosted source code repository that contains the credentials for access to the offsite database backup storage and discovered an unauthorized access on an employee’s account. We immediately enabled two-factor authentication for all Bitly accounts on the source code repository and began the process of securing the system against any additional vulnerabilities.
We have a number of projects remaining to continue to add layers of security, but here are some of the things we have done since the breach and are continuing to work on:

  • Invalidated all Twitter and Facebook credentials
  • Rotated all credentials for our offsite storage systems
  • Enabled detailed logging on our offsite storage systems
  • Rotated all SSL certificates
  • Reset credentials used for code deployment GPG encryption of all sensitive credentials
  • Enforced two-factor authentication on all 3rd party services company-wide
  • Accelerated development of our work to support two-factor authentication for bitly.com
  • Accelerated development for email confirmation of password changes
  • Added additional audit details to user security pages
  • Enabled detailed logging on our offsite storage systems
  • Updated iPhone App to support updated OAuth tokens


Rob Platzer
CTO, Bitly