Bitly discloses account compromise, urges users to change passwords

Company said account credentials were compromised, but refused to provide details

On Thursday evening, Bitly (bit.ly), one of the Web's largest URL shortening services, urged users to reset their API keys, OAuth tokens, and passwords.

In a notice to users, Bitly's CEO, Mark Josephson, said that account credentials were compromised, but didn't offer any additional details.

"We have reason to believe that Bitly account credentials have been compromised," Josephson's statement explained.

"We have no indication at this time that any accounts have been accessed without permission. For our users protection, we have taken proactive steps to ensure the security of all accounts, including disconnecting all users Facebook and Twitter accounts. All users can safely reconnect these accounts at their next login."

The company posted manual steps on the blog for users to follow in order to reset account access, including passwords, OAuth tokens, and API keys.

The company said that they've "taken proactive measures to secure all paths that led to the compromise."

However, when asked to explain further, a spokesperson pointed Salted Hash to the company blog and Twitter feed, refusing to comment further.

This post will be updated should Bitly change their tune, offering additional details in order to help the public better understand the problems that led to this incident.

Tags intrusionInternet-based applications and servicessecurityAccess control and authenticationdata breachinternetsocial mediaBitly

Comments

Comments are now closed

CSO Corporate Partners
  • f5
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Audit Management Solutions

Manage the complete audit lifecycle from audit universe identification and risk assessment to management/board reporting and quality assurance.

Security Awareness Tip
Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.