Security Corner

May 14 2014   3:10PM GMT

What happened at Bitly?

Ken Harthun Ken Harthun Profile: Ken Harthun

While Bitly’s first description of the breach was rather vague, they have updated their blog with considerably more details:

On May 8, the Bitly security team learned of the potential compromise of Bitly user credentials from the security team of another technology company. We immediately began operating under the assumption that we had a breach and started the search for all possible compromise vectors.

Over the course of the next few hours, the Security Team determined with a high degree of confidence that there had been no external connections to our production user database or any unauthorized access of our production network or servers. They observed that we had an unusually high amount of traffic originating from our offsite database backup storage that was not initiated by Bitly.

Going on, they say they discovered unauthorized access to an employee’s account on their offsite database backup storage. They go into specific action details on the blog and also posted a two item FAQ:

Were passwords exposed?

Hashed passwords were exposed but plain text passwords were not.  All passwords are salted and hashed.  If you registered, logged in or changed your password after January 8th, 2014, your password was converted to be hashed with BCrypt and HMAC using a unique salt.  Before that, it was salted MD5.

Were any of my Bitlinks affected or changed?

No.  The production database was never compromised nor was there any unauthorized access to our production network or environment.  The data was from an offsite static backup.  There was no risk of any data, including redirects, being changed.

Bottom line: it could have been much worse, but you should take the steps listed in my previous post.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: