Popular URL link shortener, Bit.ly, has been the recent victim of a data breach. Bitly has issued an urgent security warning stating its customers credentials may have been comprised in their security report as of yesterday.
“We have reason to believe that Bitly account credentials have been compromised; specifically, users’ email addresses, encrypted passwords, API keys and OAuth tokens,” Bitly CEO Mark Josephson wrote in a blog post. Bitly noted there is no evidence of intruders accessing any accounts, but is taking proactive measures.
Bitly is a popular URL shortener founded in 2008. The service is primarily used across social media platforms as it can help meet smaller character limits. The service allows users to paste a website link into their shortener, and bitly will return a small 12 or so character link out. The smaller link shortens/masks the real link, and has powerful analytics to help website owners better test traffic and clicks. Bitly shortens more than one billion links per month, and powers over 10,000 custom short domains for enterprises.
In the Bitly data breach, bitly suspects that user account information may have been comprised. In order to protect its users along with their linked social media accounts, the company has disconnected all interlinked Facebook and Twitter accounts, and is requesting users reset their passwords as well as reconnect their social media accounts after the actions have been taken.
Bitly has not released any information as to how the attack may have occurred, and only noted the company has taken “proactive measures to secure all paths that led to the compromise.” In an updated blog post they mention an outside security firm contacted bitly regarding the attack.
To add, the company is requesting all users reset their API keys and OAuth tokens, following the given instructions given on Bitly’s blog. Bitly’s CEO has recommended that users “please take the following steps to secure your account: change your API key and OAuth token, reset your password, and reconnect your Facebook and Twitter accounts.”
To reset your API key and OAuth token, Bitly has given the following instructions:
1) Log in to your account and click on ‘Your Settings,’ then the ‘Advanced’ tab.
2) At the bottom of the ‘Advanced’ tab, select ‘Reset’ next to ‘Legacy API key.’
3) Copy down your new API key and change it in all applications. These can include social publishers, share buttons and mobile apps.
4) Go to the ‘Profile’ tab and reset your password.
5) Disconnect and reconnect any applications that use Bitly. You can check which accounts are connected under the ‘Connected Accounts’ tab in ‘Your Settings.’
In another blog post bitly has explained that only encrypted salted and hashed passwords may been compromised in the leak. “We take your security and trust in us seriously. The team has been working hard to ensure all accounts are secure.” The company also apologized for any inconveniences this may have caused.