Link shortening service Bitly informed its users Thursday that it believes user credentials – passwords, API keys and OAuth tokens – have been compromised.
While the company claims there’s no real indication that any accounts were accessed without authorization, in a post on its blog the company claims it has taken “proactive” steps to ensure its users’ security, which includes disconnecting users’ Facebook and Twitter accounts from the service.
The service invalidated those credentials shortly after discovering the compromise Thursday, meaning that if users used either Facebook or Twitter to share shortened URLs, they’ll have to reconnect them the next time they log in if they want to publish through them.
An update to the blog entry this morning points out that specifically, users should consider their email addresses, encrypted passwords, API keys and OAuth tokens, all compromised.
Mark Josephson, Bitly’s CEO, penned the entry and was scant on details regarding the actual attack but did encourage users who don’t use either of the aforementioned social networks for sharing links to change their Legacy API key and OAuth token – and then reset their password. Instructions on how to exactly do that can be found on the company’s blog.
It’s unclear if the compromise is somehow connected to the OpenID and OAuth 2.0 security flaw that surfaced late last week but we imagine more details regarding the compromise will come to light soon. Last Friday Singapore-based researcher Wang Jing publicized something he called a “Covert Redirect” vulnerability he dug up that affected certain OAuth and OpenID implementations. If used by an attacker correctly the flaw can redirect users to URLs of their choosing after authorization and sniff their credentials.
