While Bitly’s first description of the breach was rather vague, they have updated their blog with considerably more details:
On May 8, the Bitly security team learned of the potential compromise of Bitly user credentials from the security team of another technology company. We immediately began operating under the assumption that we had a breach and started the search for all possible compromise vectors.
Over the course of the next few hours, the Security Team determined with a high degree of confidence that there had been no external connections to our production user database or any unauthorized access of our production network or servers. They observed that we had an unusually high amount of traffic originating from our offsite database backup storage that was not initiated by Bitly.
Going on, they say they discovered unauthorized access to an employee’s account on their offsite database backup storage. They go into specific action details on the blog and also posted a two item FAQ:
Were passwords exposed?
Hashed passwords were exposed but plain text passwords were not. All passwords are salted and hashed. If you registered, logged in or changed your password after January 8th, 2014, your password was converted to be hashed with BCrypt and HMAC using a unique salt. Before that, it was salted MD5.
Were any of my Bitlinks affected or changed?
No. The production database was never compromised nor was there any unauthorized access to our production network or environment. The data was from an offsite static backup. There was no risk of any data, including redirects, being changed.
Bottom line: it could have been much worse, but you should take the steps listed in my previous post.