Link shortening service Bitly said this weekend the breach that hit the firm last week was due to employee credentials being stolen, which gave access to the firm’s offsite database backup.
The keys to the backup were stored in a “hosted source code repository”, which was also compromised.
Initially, Bitly was accused of being opaque in detailing the breach, but has since offered more information to appease angry users.
“We had an unusually high amount of traffic originating from our offsite database backup storage that was not initiated by Bitly. At this point, it was clear that the best path forward was to assume the user database was compromised and immediately initiate our response plan, which included steps to protect our users’ connected Facebook and Twitter accounts,” explained Rob Platzer, chief technology officer at Bitly, in a blog post.
“We audited the security history for our hosted source code repository that contains the credentials for access to the offsite database backup storage and discovered an unauthorized access on an employee’s account.
“We immediately enabled two-factor authentication for all Bitly accounts on the source code repository and began the process of securing the system against any additional vulnerabilities.”
Those who signed up after 8 January are likely better protected, as their passwords were hashed with BCrypt and HMAC using a unique salt. Before that, they were salted with MD5, which has known weaknesses.
A hash algorithm changes the password into a string of bits, known as the cryptographic hash value. A salt adds random data as an input to that hashing process, making it trickier for hackers to brute force (guess) a password.
What do you know about Internet security? Find out with our quiz!
German foreign minister warns Russia will face consequences for “absolutely intolerable” cyberattack on ruling party,…
Google is reportedly laying off at least 200 staff from its “Core” organisation, including key…
Investor appeasement? Apple unveils huge $110 billion share buyback program, as sales of iPhone decline…
Tesla retreats from pioneering gigacasting manufacturing process, amid cost cutting and challenges at EV giant
No skynet please. After the US, UK and France pledge human only control of nuclear…
Microsoft's AI investments continue in south east Asia, after investments in Japan, Malaysia, Indonesia, as…
View Comments
The online world is most certainly not hack proof. This story illustrates a more traditional approach to getting on the inside. Interesting.
On a different note, whenever your readers do need a safe offsite Cloud solution, visit LogicWorks. Take the time to read the case studies to learn about the solutions they developed for specific companies. They are very capable.
Interesting post.