Bitly Data Breach Hits Facebook, Twitter Users
Short-URL generator Bitly hit by data breach, but damage spills over to Facebook, Twitter due to shared credentials.
The URL-shortening service Bitly has suffered a data breach, and the collateral damage has spread to include Facebook and Twitter accounts.
"We have reason to believe that Bitly account credentials have been compromised," wrote Mark Josephson, CEO of New York-based Bitly, in a blog posting yesterday (May 8). "We have no indication at this time that any accounts have been accessed without permission."
MORE: Scariest Security Threats Headed Your Way: Special Report
Because Bitly is among thousands of websites that let users log in with Facebook or Twitter credentials, anyone who did so is urged to change their Facebook or Twitter passwords.
"For our users' protection, we have taken proactive steps to ensure the security of all accounts, including disconnecting all users' Facebook and Twitter accounts," the Bitly blog posting said. "All users can safely reconnect these accounts at their next login."
Facebook and Twitter use the login-proxy service OAuth to extend their authentication credentials to Bitly, so Bitly's servers don't store the actual passwords to accounts on those services. However, an attacker who got the OAuth tokens could still use them to access Facebook or Twitter accounts, at least temporarily.
"Please take the following steps to secure your account: change your API key [another form of proxy credentials] and OAuth token, reset your password, and reconnect your Facebook and Twitter accounts," Josephson writes.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
Josephson didn't include any information about how many Bitly users might be affected, what exactly was compromised or whether or how user passwords had been protected by one-way hashes. Nor did he say whether user passwords had been reset.
If you have an account directly with Bitly, it's probably best to change that password immediately.
Bitly, a privately held company, doesn't disclose the number of its registered users, but does say it "shortens more than 1 billion links per month." Presumably, many of those come from casual users without Bitly accounts.
Josephson's blog posting includes fairly involved steps to take to reset the OAuth tokens and API keys using Bitly's own site:
"1) Log in to your account and click on 'Your Settings,' then the 'Advanced' tab.
2) At the bottom of the 'Advanced' tab, select 'Reset' next to 'Legacy API key.'
3) Copy down your new API key and change it in all applications. These can include social publishers, share buttons and mobile apps.
4) Go to the 'Profile' tab and reset your password.
5) Disconnect and reconnect any applications that use Bitly. You can check which accounts are connected under the 'Connected Accounts' tab in 'Your Settings.'"
Bitly's own registration page asks only for a username, email address and password, so the extent of what might be disclosed from a native account is limited — as long as the user didn't re-use the same password elsewhere.
But anyone who's ever signed into Bitly using a Twitter or Facebook account will want to heed Josephson's advice.
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.