Bitly: Offsite Backup Hack To Blame For Breach

Thomas Brewster,
NSA backdoor broken packlock encryption security © keantian Shutterstock

Bitly employee credentials stolen from a source code repository – and then used to hit the site’s backup

Link shortening service Bitly said this weekend the breach that hit the firm last week was due to employee credentials being stolen, which gave access to the firm’s offsite database backup.

The keys to the backup were stored in a “hosted source code repository”, which was also compromised.

Bitly hacked

network scan machine fingerprint privacy security © Bruce Rolff ShutterstockBitly admitted to the breach on Thursday, warning users it was likely usernames and passwords were stolen. It also disconnected all users’ Facebook and Twitter accounts, as it was clear API keys and OAuth tokens were likely compromised too.

Initially, Bitly was accused of being opaque in detailing the breach, but has since offered more information to appease angry users.

“We had an unusually high amount of traffic originating from our offsite database backup storage that was not initiated by Bitly. At this point, it was clear that the best path forward was to assume the user database was compromised and immediately initiate our response plan, which included steps to protect our users’ connected Facebook and Twitter accounts,” explained Rob Platzer, chief technology officer at Bitly, in a blog post.

“We audited the security history for our hosted source code repository that contains the credentials for access to the offsite database backup storage and discovered an unauthorized access on an employee’s account.

“We immediately enabled two-factor authentication for all Bitly accounts on the source code repository and began the process of securing the system against any additional vulnerabilities.”

Those who signed up after 8 January are likely better protected, as their passwords were hashed with BCrypt and HMAC using a unique salt.  Before that, they were salted with MD5, which has known weaknesses.

A hash algorithm changes the password into a string of bits, known as the cryptographic hash value. A salt adds random data as an input to that hashing process, making it trickier for hackers to brute force (guess) a password.

What do you know about Internet security? Find out with our quiz!