Url shortener Bit.ly facing security issues; here's how users can secure their accounts

Sunday, 11 May 2014 - 8:54am IST | Agency: DNA Webdesk

Popular url shortner Bit.ly stated, on Saturday, that it believed the security of its account holders may be been compromised. And so, in an online advisory, released by the tech company, it instructed users to change their passwords.

How it happened
"Early Thursday morning, the Bitly security team learned of the potential compromise of Bitly user credentials from the security team of another technology company," they informed. "Over the course of the next few hours, the security team determined with a high degree of confidence that there had been no external connections to our production user database or any unauthorised access of our production network or servers. They observed that we had an unusually high amount of traffic originating from our offsite database backup storage that was not initiated by Bitly. At this point, it was clear that the best path forward was to assume the user database was compromised and immediately initiate our response plan, which included steps to protect our users’ connected Facebook and Twitter accounts."

What are they doing about it?
They have, so far, taken some immediate steps to contain the attack. Among them are:
Invalidated all Twitter and Facebook credentials
- Rotated all credentials for offsite storage systems
- Enabled detailed logging on offsite storage systems 
- Rotated all SSL certificates
- Reset credentials used for code deployment
GPG encryption of all sensitive credentials
Enforced two-factor authentication on all third party services company-wide
Accelerated development of our work to support two-factor authentication for bitly.com
Accelerated development for email confirmation of password changes
Added additional audit details to user security pages
Enabled detailed logging on offsite storage systems
Updated iPhone App to support updated OAuth tokens

What should Bit.ly users do?
And while their backend is working on to fix any potential threats that could follow this breach, Bit.ly has also advised users to reset their security passwords. "Please take the following steps to secure your account: change your API key and OAuth token, reset your password, and reconnect your Facebook and Twitter accounts," they advise.

Following are step-by-step instructions to reset your API key and OAuth token:
1) Log in to your account and click on ‘Your Settings,’ then the ‘Advanced’ tab.
2) At the bottom of the ‘Advanced’ tab, select ‘Reset’ next to ‘Legacy API key.’
3) Copy down your new API key and change it in all applications. These can include social publishers, share buttons and mobile apps.
4) Go to the ‘Profile’ tab and reset your password.
5) Disconnect and reconnect any applications that use Bitly. You can check which accounts are connected under the ‘Connected Accounts’ tab in ‘Your Settings.’

For iPhone users, Bit.ly has already put out a security patch and advises quick update to the latest version.


Jump to comments

RELATED