Bitly reveals hackers stole secret keys from hosted code repository

Amazon Web Services last month warned developers against storing their credentials in plaintext in GitHub, which appears to be what was behind last week's Bitly hack.

Popular link shortener Bitly has revealed the attack that caused it to disconnect all users’ Facebook and Twitter accounts last week was a compromised employee account to its hosted code repository — where it stored the secret key to its "offsite  backup" database.

Bitly announced last Friday that users’ account credentials were compromised and quickly described what actions users should take. However security experts criticised the company for being vague about what exactly was compromised, how were passwords protected and how it discovered the breach in the first place. 

The company appears to have listened to that criticism, on Saturday clarifying that hackers stole credentials to its backup database -- but not production database ---after an employee account on its hosted source code repository was compromised.

According to Rob Platzer, Bitly’s chief technology officer, the company’s security team was alerted to a possible breach early Thursday morning by an unnamed tech company. After that Bitly’s team discovered suspicious traffic from an offsite database backup.

According to Platzer, from that point, the company judged it best to “assume the user database was compromised”, which explained its initial response on Friday to disconnect all Facebook and Twitter accounts tied to a Bitly account.

“[T]he Security Team determined with a high degree of confidence that there had been no external connections to our production user database or any unauthorized access of our production network or servers,” Platzer wrote on Saturday.

“They observed that we had an unusually high amount of traffic originating from our offsite database backup storage that was not initiated by Bitly.”

Further investigations revealed that the attacker was able to breach the offsite backup because Bitly was storing its credentials for access to it in its hosted source code repository. 

“We audited the security history for our hosted source code repository that contains the credentials for access to the offsite database backup storage and discovered an unauthorized access on an employee’s account.  We immediately enabled two-factor authentication for all Bitly accounts on the source code repository and began the process of securing the system against any additional vulnerabilities.”

Bitly doesn’t mention which hosted source code repository it was using, however if the company’s tale sounds familiar that’s because only last month Amazon Web Services cautioned developers against storing their AWS log-in credentials in plain text on GitHub — a practice that was worryingly common, as reported last month.  

In addition, Bitly’s Platzer clarified that until January it was using the ill-advised MD5 algorithm to hash passwords, albeit with the additional protection of salting.

“Hashed passwords were exposed but plain text passwords were not. All passwords are salted and hashed.  If you registered, logged in or changed your password after January 8th, 2014, your password was converted to be hashed with BCrypt and HMAC using a unique salt.  Before that, it was salted MD5.” 

Join the CSO newsletter!

Error: Please check your email address.

Tags breachAmazon Web ServficesGitHubNakedSecuritytwo-factor authenticationhackRob PlatzerAWSpasswords protectedBitly

More about Amazon Web ServicesAmazon Web ServicesFacebook

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place