Bitly breach details revealed

Bitly has released more details about the breach that made them reset user account credentials and disconnect all users’ Facebook and Twitter accounts late last week:

Early Thursday morning, the Bitly security team learned of the potential compromise of Bitly user credentials from the security team of another technology company. We immediately began operating under the assumption that we had a breach and started the search for all possible compromise vectors.

Over the course of the next few hours, the Security Team determined with a high degree of confidence that there had been no external connections to our production user database or any unauthorized access of our production network or servers. They observed that we had an unusually high amount of traffic originating from our offsite database backup storage that was not initiated by Bitly. At this point, it was clear that the best path forward was to assume the user database was compromised and immediately initiate our response plan, which included steps to protect our users’ connected Facebook and Twitter accounts.

We audited the security history for our hosted source code repository that contains the credentials for access to the offsite database backup storage and discovered an unauthorized access on an employee’s account. We immediately enabled two-factor authentication for all Bitly accounts on the source code repository and began the process of securing the system against any additional vulnerabilities.

The company has undertaken many steps to mitigate the breach and improve security, including rotating all credentials for their offsite storage systems, rotating all SSL certificates, implementing GPG encryption of all sensitive credentials, enforcing two-factor authentication on all 3rd party services company-wide, and updating the Bitly iPhone App to support updated OAuth tokens.

Users who were left wondering if the company stored their passwords in plaintext can sigh a sigh of relief: “All passwords are salted and hashed. If you registered, logged in or changed your password after January 8th, 2014, your password was converted to be hashed with BCrypt and HMAC using a unique salt. Before that, it was salted MD5,” the company revealed.

Among the data accessed by the attackers were users’ email addresses, encrypted passwords, API keys and OAuth tokens, located on an offsite static backup. The breach didn’t affect the company’s production database, network or environment, the company reassured.

“Unfortunately, from time to time this kind of breach happens, however it shouldn’t be considered as something regular or acceptable,” commented Dmitry Bestuzhev, head of global research and analysis team, Latin America, Kaspersky Lab.

“The biggest threat now is for those users having the same password for Bit.ly and their email address. It must be changed immediately and as a general rule: never use the same password or never recycle the same password for more than one service.”

He advises users to change their bit.ly password, then go to Twitter and revoke manually bit.ly access to the account.

“Once done, you may request a new one,” he notes. “Finally enable two-factor authentication for your email and Twitter accounts.”