While Bitly’s first description of the breach was rather vague, they have updated their blog with considerably more details:
On May 8, the Bitly security team learned of the potential compromise of Bitly user credentials from the security team of another technology company. We immediately began operating under the assumption that we had a breach and started the search for all possible compromise vectors.
Over the course of the next few hours, the Security Team determined with a high degree of confidence that there had been no external connections to our production user database or any unauthorized access of our production network or servers. They observed that we had an unusually high amount of traffic originating from our offsite database backup storage that was not initiated by Bitly.
Going on, they say they discovered unauthorized access to an employee’s account on their offsite database backup storage. They go into specific action details on the blog and also posted a two item FAQ:
Were passwords exposed?
Hashed passwords were exposed but plain text passwords were not. All passwords are salted and hashed. If you registered, logged in or changed your password after January 8th, 2014, your password was converted to be hashed with BCrypt and HMAC using a unique salt. Before that, it was salted MD5.
Were any of my Bitlinks affected or changed?
No. The production database was never compromised nor was there any unauthorized access to our production network or environment. The data was from an offsite static backup. There was no risk of any data, including redirects, being changed.
Bottom line: it could have been much worse, but you should take the steps listed in my previous post.
Got this email late last Friday:
Dear Ken Harthun,
We have reason to believe that your Bitly account credentials have been compromised; however, we have no indication at this time that your account has been accessed without permission.
Just to be safe, we have proactively disconnected any connections you might have had to publish on Facebook and Twitter from your Bitly account. You can safely reconnect these accounts at your next login.
Although you may see your Facebook and Twitter accounts connected to your Bitly account, it is not possible to publish to these accounts until you reconnect your Facebook and Twitter profiles.
To ensure the security of your account, please take the following steps:
1) Go to Your Settings Profile tab and reset your password.
2) Go to Your Settings Connected Accounts tab to disconnect and reconnect any Twitter or Facebook accounts. If you have any connected applications, disconnect and reconnect through the third-party application.
3) Go to Your Settings Advanced tab to reset your API key. If you are a developer using your API key, copy the new API key and change it in all applications. These can include social publishers, share buttons and mobile apps.
We have taken measures to secure all paths that led to the compromise and ensure the security of all account credentials going forward.
We apologize for any inconvenience and we will continue to update our Twitter feed, @Bitly, as we have any further updates.
The Bitly Team
This is something I have never advised anyone to do, but I’m doing it now: change all of your passwords. There have been so many breaches recently that I don’t trust any of my passwords to still be secure. I doubt that I’m even a serious target, but I’m not taking any chances. You shouldn’t take chances either.
I’m talking about things that matter, like banking and credit card sites and online bill payment sites – anything that may contain your credit card, bank info, or other payment information. Change PayPal, too, unless you are using two-factor authentication; even with 2FA, it’s not a bad idea to change the password.
With the recent Heartbleed, IE, Flash, and Apple vulnerabilities, it’s not safe to trust your information on any sites to an insecure password. When you change them, make sure they are at least 12 characters and don’t include any recognizable dictionary words. I’ve given you many ways to create a memorable secure password, so just search “password harthun” and you can find those.
On Sunday night, Apple took down its Developer Center to patch a security hole that allowed anyone to access personal contact information for any registered developer, any Apple Retail or corporate employee, and even some key partners.
According to 9to5Mac, a Macintosh-focused news venue, a tipster sent an email into its tips box “that contained the personal contact information – including cell phone numbers – of several of the publication’s staffers, as well as a few high-ranking Apple executives.” You can read the full article at the link above.
In a stellar example of responsible disclosure, 9to5Mac withheld any information until after Apple fixed the issue:
Due to the critical nature of the problem, we would never reveal this type of flaw to the public until it had been dealt with and we had contacted Apple . As of last night, the hole has been patched. Keep reading for the full details of how the breach was executed and exactly what information was at risk.
Good for them!
If you are (heaven forbid) an AOL mail user, change your password immediately. There has a been a large scale breach of AOL Mail accounts. Passwords, security questions, mail addresses and even contact lists were compromised, though the data were encrypted. According to AOL, no users’ financial information was compromised, and the encryption on passwords and security questions has not been broken.
There is, however, a big difference between encryption and hashing. It’s easy to implement a brute force attack against hash tables, not so easy (actually nearly impossible) to break encryption. Since we don’t know details here, it’s best to change your AOL Mail password and security question.
Sophos, in this blog post, says:
What to do if your account was compromised
If you’re an AOL Mail user, visit account.aol.com to change your password and security question immediately.
If you use the same password as your AOL account for other websites, change those passwords as well – and remember, you should use a unique password for each of your online accounts in case one of them is compromised.
Consider using a password manager such as LastPass or 1Password to generate and store complex passwords.
From Krebs on Security:
Adobe Systems Inc. has shipped an emergency security update to fix a critical flaw in its Flash Player software that is currently being exploited in active attacks. The exploits so far appear to target Microsoft Windows users, but updates also are available for Mac and Linux versions of Flash.
This is also tied in with the vulnerability in IE that I posted yesterday.
Flash is required on many web sites (I won’t rant about this now, but that is really pretty stupid, given Adobe’s dismal security record), but that doesn’t mean you have to allow it to run willy-nilly. Google Chrome, Mozilla Firefox and Opera allow you to block plugin activity, giving you the option to run it only when you trust the site. Krebs posted an article on how to do this here.
Stop using Internet Explorer and switch to an alternative browser immediately. Microsoft just announced a zero-day vulnerability in Internet Explorer that is being actively exploited in targeted attacks; they have not yet issued a fix. All versions of IE are affected.
The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.
This means that you don’t have to do anything at all except visit a poisoned website to be affected. There is no patch, but Microsoft is recommending that Internet Explorer users install its free Enhanced Mitigation Experience Toolkit (EMET) to harden security of Windows systems.
I recommend you stay away from IE entirely and run an alternative browser.
Be on the lookout for an out-of-band patch from Redmond.
In light of the plethora of data breaches in the news, it behooves us to use two-factor authentication (2FA) where it is available. I use it for important accounts like LastPass, eBay and PayPal. Where it is offered on other financial accounts, I use it. You should, too. But how do you know who offers it? Here is a great website that shows who does and doesn’t offer 2FA and what methods they use: http://twofactorauth.org/.
I’m going to be setting up 2FA on all of the listed services I use and for which I don’t currently have 2FA enabled. I suggest you do the same. Can’t hurt and can only help by making it more difficult for the cybercriminals to get access to your information.
In light of Microsoft Security Advisory 2953095, I am restating advice I first published in 2008. While this particular vulnerability may not be directly related to previewing email messages, it is still a viable attack vector.
Here is what I originally called “Security Maxim #6:”
Some of these tips may very well be “everybody knows” types of things, but I find that these are often the things that get overlooked. That’s why I’m publishing them as computer security maxims. Take a look at the recent furor surrounding the cold boot attack against disk encryption . That was an “everbody knows,” too.
I get questions all the over at Ask the Geek [site no longer active] about using a mail client’s message preview feature. Opinions vary, of course, but for this geek, it’s a bad idea. In order to preview a message, it has to be opened or rendered by the HTML engine. Think about how a PC can be infected by a malicious web site and you’ll immediately understand the danger: The same malicious programs can exist in scripts in HTML messages. It’s a serious security risk.
Security Maxim #6: Always disable any message preview or auto-open features in your e-mail client. View messages as text-only until you know they are safe.
Yes, another post about passwords, choosing secure ones. Unfortunately, they aren’t going to go away anytime soon and, equally unfortunately, they are getting easier and easier to break. In a recent blog post, Bruce Schneier said: “As insecure as passwords generally are, they’re not going away anytime soon. Every year you have more and more passwords to deal with, and every year they get easier and easier to break. You need a strategy.”
Indeed. Agreed. I’ve written many posts about how to choose secure passwords. I’m not the only one. In addition to the blog post mentioned above, here are some other resources that have strategies designed to help you create secure passwords. Oh, and regardless of what any of these articles say is the best length for a password, I recommend no fewer than 12 characters and prefer 15 characters. This number is always a moving target, subject to adjustment upward as computing power increases. Here’s my top five list:
Steve Gibson’s Password Haystacks: https://www.grc.com/haystack.htm
My article: Is your password “qeadzcwrsfxv1331?”
Sophos’ How to Choose a Strong Password: http://nakedsecurity.sophos.com/2010/02/03/choose-strong-password
Roger Grimes’ Creating strong passwords is easier than you think
Microsoft’s Tips: http://windows.microsoft.com/en-us/windows-vista/tips-for-creating-a-strong-password