Bitly says it has learned about the breach from the security team of another technology company, but the organization in question has not been named.
According to Bitly, the attackers haven’t gained access to the production user database or to other production systems. However, while analyzing the possible breach, an unusually high volume of traffic originating from an offsite database backup storage that was not initiated by the company has been noticed.
It turns out that the attackers gained access to the database backup through a compromised employee account.
“We audited the security history for our hosted source coderepository that contains the credentials for access to the offsite database backup storage and discovered an unauthorized access on an employee’s account,” Bitly CTO Rob Platzer notes in a blog post.
“We immediately enabled two-factor authentication for all Bitly accounts on the source code repository and began the process of securing the system against any additional vulnerabilities.”
The passwords stored in the database are salted and hashed. While no clear text passwords have been exposed, for the ones that haven’t been changed before January 8, 2014, salted MD5 has been used. The passwords set or changed after this date are hashed with bcrypt and HMAC using a unique salt.
However, considering that a lot of users have probably not changed their passwords this year, it’s safe to assume that a lot of passwords have been compromised. That’s probably why the company is advising customers to immediately change their passwords.
Users are also recommended to reconnect their social media accounts, since they’ve been disconnected as a precaution. Furthermore, API keys and OAuth tokens should also be changed.
Notification emails sent by Bitly to customers
Notification emails sent by Bitly to customers
The company has already taken some steps to prevent future incidents, including rotating all SSL certificates, enabling detailed logging for offsite storage systems, rolling out GPG encryption for all sensitive credentials, and adding additional audit details to user security pages.
As far as two-factor authentication is concerned, Bitly has enforced the security mechanism on all third-party services used throughout the company, and it has accelerated the development of a two-factor authentication system for Bitly.com.
The company is also accelerating the development for email confirmation of password changes.