14 DAY TRIAL // Last week, Bitly notified customers that their accounts might have been compromised following a data breach. The company has provided more details and has confirmed that, in fact, cybercriminals gained unauthorized access to a database containing user information.
Bitly says it has learned about the breach from the security team of another technology company, but the organization in question has not been named.
According to Bitly, the attackers haven’t gained access to the production user database or to other production systems. However, while analyzing the possible breach, an unusually high volume of traffic originating from an offsite database backup storage that was not initiated by the company has been noticed.
It turns out that the attackers gained access to the database backup through a compromised employee account.
“We audited the security history for our hosted source code repository that contains the credentials for access to the offsite database backup storage and discovered an unauthorized access on an employee’s account,” Bitly CTO Rob Platzer notes in a blog post.
“We immediately enabled two-factor authentication for all Bitly accounts on the source code repository and began the process of securing the system against any additional vulnerabilities.”
The passwords stored in the database are salted and hashed. While no clear text passwords have been exposed, for the ones that haven’t been changed before January 8, 2014, salted MD5 has been used. The passwords set or changed after this date are hashed with bcrypt and HMAC using a unique salt.
However, considering that a lot of users have probably not changed their passwords this year, it’s safe to assume that a lot of passwords have been compromised. That’s probably why the company is advising customers to immediately change their passwords.
Users are also recommended to reconnect their social media accounts, since they’ve been disconnected as a precaution. Furthermore, API keys and OAuth tokens should also be changed.
As far as two-factor authentication is concerned, Bitly has enforced the security mechanism on all third-party services used throughout the company, and it has accelerated the development of a two-factor authentication system for Bitly.com.
The company is also accelerating the development for email confirmation of password changes.