The link-shortening service Bitly announced late last week that it’s ramping up its development of two-factor authentication following a compromise that leaked user information on Thursday.
The breach, first discovered Thursday morning, spilled users’ email addresses, encrypted (salted and hashed) passwords, API keys and OAuth tokens.
The team was quick to invalidate Twitter and Facebook credentials right off the bat but developers had their hands full over the weekend, adding and fine-tuning several additional layers of security.
The company claims it immediately implemented two-factor authentication on all accounts on the source code repository and that it’s rapidly developing the technology for Bitly.com.
In a blog post on Friday, Rob Platzer, the company’s Chief Technology Officer, described the steps the company took in discovering the breach.
Platzer clarified that the security team of another technology company first informed Bitly of a potential compromise Thursday morning and from that point on Bitly proceeded as if it had been compromised.
After scouring the system for possible compromise vectors, Platzer claims Bitly’s security team was able to deduce there hadn’t been any external connections to its production user database or its production network or server but that the team had noticed a suspicious amount of traffic emanating from a separate, offsite database backup storage that was not initiated by Bitly.
“We audited the security history for our hosted source code repository that contains the credentials for access to the offsite database backup storage and discovered an unauthorized access on an employee’s account,” Platzer said.
As it began shoring up its system, the security team applied a series of fixes to the breached offsite storage systems, including rotating all of the affected system’s credentials and enabling detailed logging.
Bitly also rotated all SSL certificates, reset any credentials being used for code deployment, secured sensitive credentials with GNU Privacy Guard and updated its iPhone app to support the newly updated OAuth tokens, among other precautions.
The company insists that users shouldn’t be afraid of data loss as its production database was not compromised and there was no “unauthorized access to [its] production network or environment.”
It sounds as if Bitly users shouldn’t be too worried about their passwords either.
Platzer went on to specify that users who either registered, logged in or changed their password after January 8 had their password “hashed with BCrypt and HMAC using a unique salt” and that it still has no indication that any accounts were accessed without permission.
Regardless, Bitly is still exercising caution and encouraging users who haven’t yet to log in and reset their Facebook and Twitter connections along with their Legacy API key and OAuth tokens.