Bitly Developing Two Factor Authentication Following Compromise

Link-shortening service Bitly announced that it’s ramping up its development of two-factor authentication following a compromise that leaked user information on Thursday.

The link-shortening service Bitly announced late last week that it’s ramping up its development of two-factor authentication following a compromise that leaked user information on Thursday.

The breach, first discovered Thursday morning, spilled users’ email addresses, encrypted (salted and hashed) passwords, API keys and OAuth tokens.

The team was quick to invalidate Twitter and Facebook credentials right off the bat but developers had their hands full over the weekend, adding and fine-tuning several additional layers of security.

The company claims it immediately implemented two-factor authentication on all accounts on the source code repository and that it’s rapidly developing the technology for

In a blog post on Friday, Rob Platzer, the company’s Chief Technology Officer, described the steps the company took in discovering the breach.

Platzer clarified that the security team of another technology company first informed Bitly of a potential compromise Thursday morning and from that point on Bitly proceeded as if it had been compromised.

After scouring the system for possible compromise vectors, Platzer claims Bitly’s security team was able to deduce there hadn’t been any external connections to its production user database or its production network or server but that the team had noticed a suspicious amount of traffic emanating from a separate, offsite database backup storage that was not initiated by Bitly.

“We audited the security history for our hosted source code repository that contains the credentials for access to the offsite database backup storage and discovered an unauthorized access on an employee’s account,” Platzer said.

As it began shoring up its system, the security team applied a series of fixes to the breached offsite storage systems, including rotating all of the affected system’s credentials and enabling detailed logging.

Bitly also rotated all SSL certificates, reset any credentials being used for code deployment, secured sensitive credentials with GNU Privacy Guard and updated its iPhone app to support the newly updated OAuth tokens, among other precautions.

The company insists that users shouldn’t be afraid of data loss as its production database was not compromised and there was no “unauthorized access to [its] production network or environment.”

It sounds as if Bitly users shouldn’t be too worried about their passwords either.

Platzer went on to specify that users who either registered, logged in or changed their password after January 8 had their password “hashed with BCrypt and HMAC using a unique salt” and that it still has no indication that any accounts were accessed without permission.

Regardless, Bitly is still exercising caution and encouraging users who haven’t yet to log in and reset their Facebook and Twitter connections along with their Legacy API key and OAuth tokens.

Suggested articles


  • Becky on

    I received that email from Bitly, too. I totally forgot I was even with the service seeing as how I haven't logged in in almost three years. I deleted my Twitter account two and a half years ago. I have been trying to Google to find some answers, but can find none. Maybe you can help. Seeing as how my Twitter account is long deleted and I don't bother with Bitly anymore (I don't even remember my password, anyway), is there any point in me trying to change my password? Or should I stop stressing about it and just let it go? And do you know if there's any way that a deleted Twitter account could be at risk of being brought back or something, because of this? I don't want the account anymore. But don't want something bringing it back without my knowing. Thank you!
    • Brian Donohue on

      You could always try to recover the Bitly account through the email address you set it up with. However, as long as you didn't share your Bitly password for any other services then you should be okay. As for Twitter (per their explanation): "Accounts are permanently deleted 30 days from the date they were deactivated. After 30 days, deactivated accounts cannot be reactivated." You should be okay. -Brian
  • Becky on

    Thank you. I don't remember my Bitly password. But I have used the same password for other things like email addresses and such over the years. I don't remember if I used the same one for Bitly. But no other account other than my long deleted Twitter account was ever connected to my Bitly account. If you say it should be all right, then I guess I can stop being upset about it. Thank you. :)
  • Scott Spinola on

    I got caught up in this too and also forgot my password. I just used the lost password feature and changed it. Regardless of whether I use an account anymore or not, if its compromised I think it's a smart move to change the password anyway. Takes seconds and it can't hurt. No telling what someone can do by accessing it. Better to be safe.
  • Becky on

    You are right. And I actually did go through the process of changing it. Now it's done and I don't have to worry about it anymore. While I was there, I disconnected my deleted Twitter account from my Bitly profile.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.