Bitly announces security breach, advises users to change passwords

By Erin Ayers on May 12, 2014

bitly-logoThe URL-shortening service Bitly alerted users to a security breach over the weekend that revealed passwords, email addresses and other private data.

By May 11, Bitly explained the problem led the company to disconnect users’ Facebook, Twitter and the Bitly iPhone applications.

Users were advised to secure their account and change their passwords.

The firm’s CEO, Mark Josephson, said on the Bitly blog, “We have reason to believe that Bitly account credentials have been compromised; specifically, users’ email addresses, encrypted passwords, API keys and OAuth tokens. We have no indication at this time that any accounts have been accessed without permission. We have taken steps to ensure the security of all accounts, including disconnecting all users’ Facebook and Twitter accounts. All users can safely reconnect these accounts at their next login.”

He added, “We have already taken proactive measures to secure all paths that led to the compromise and ensure the security of all user data going forward. We take your security and trust in us seriously. The team has been working hard to ensure all accounts are secure.”

Josephson said another technology company made Bitly aware of the breach, which they began investigating immediately.

“The Security Team determined with a high degree of confidence that there had been no external connections to our production user database or any unauthorized access of our production network or servers,” said Rob Platzer, Bitly’s chief technology officer. “They observed that we had an unusually high amount of traffic originating from our offsite database backup storage that was not initiated by Bitly. At this point, it was clear that the best path forward was to assume the user database was compromised and immediately initiate our response plan, which included steps to protect our users’ connected Facebook and Twitter accounts.”

Bitly discovered unauthorized access on an employee’s account and began securing its system again further vulnerability, according to Platzer. He further noted that not all passwords were exposed; any user who logged in, changed their password or registered after Jan. 8, 2014, had already been converted to a different security system. No data or links produced by Bitly were in danger of being changed, the company asserted.

“The production database was never compromised nor was there any unauthorized access to our production network or environment.  The data was from an offsite static backup.  There was no risk of any data, including redirects, being changed,” said Platzer.'

Erin is an editor at Advisen. She has 15 years of journalism experience. Prior to Advisen, Erin covered property-casualty insurance for 13 years as editor-in-chief of The Standard, New England’s Insurance Weekly. Erin is based in Boston, Mass. Contact Erin at [email protected].