Bitly discloses account compromise, urges users to change passwords

On Thursday evening, Bitly (bit.ly), one of the Web’s largest URL shortening services, urged users to reset their API keys, OAuth tokens, and passwords.

In a notice to users, Bitly’s CEO, Mark Josephson, said that account credentials were compromised, but didn’t offer any additional details.

“We have reason to believe that Bitly account credentials have been compromised,” Josephson’s statement explained.

“We have no indication at this time that any accounts have been accessed without permission. For our users’ protection, we have taken proactive steps to ensure the security of all accounts, including disconnecting all users’ Facebook and Twitter accounts. All users can safely reconnect these accounts at their next login.”

The company posted manual steps on the blog for users to follow in order to reset account access, including passwords, OAuth tokens, and API keys.

The company said that they’ve “taken proactive measures to secure all paths that led to the compromise.”

However, when asked to explain further, a spokesperson pointed Salted Hash to the company blog and Twitter feed, refusing to comment further.

This post will be updated should Bitly change their tune, offering additional details in order to help the public better understand the problems that led to this incident.

Update:

Bitly has offered some additional insight into the incident. In a blog post, the company says that the cause of the breach was an offsite database backup.

Answering the most glaring question, Bitly says that the production database wasn’t accessed, so shortened URLs (and the data connected to them) were not altered or impacted by the compromise itself.

On Friday, the company updated their initial blog post to warn that user email addresses and encrypted passwords were compromised. However, the passwords were salted and hashed.

“If you registered, logged in or changed your password after January 8th, 2014, your password was converted to be hashed with BCrypt and HMAC using a unique salt. Before that, it was salted MD5,” the blog explains.

According to an updated timeline, a third-party alerted the Bitly security team of a potential compromise of user credentials last Thursday. The company started investigating the reports, operating under the assumption that they were true.

“Over the course of the next few hours, the Security Team determined with a high degree of confidence that there had been no external connections to our production user database or any unauthorized access of our production network or servers,” Bitly’s update explained.

“They observed that we had an unusually high amount of traffic originating from our offsite database backup storage that was not initiated by Bitly. At this point, it was clear that the best path forward was to assume the user database was compromised…”

Audits to the hosted source code repository, which contains the credentials needed to access the offsite database backup, turned up an employee’s account that had been improperly accessed. This access was then used to compromise the data hosted in the backup database.

The company has made a number of improvements to their security posture during the recovery process, and a good deal more are planned in the coming months. A list of changes can be viewed here.