Account credentials of Bitly users compromised
Web Services
The link shortening service has “reason to believe” encrypted passwords, API keys and OAuth tokens were exposed – but there are no signs unauthorized people have used the credentials to access accounts, company executives say.
A post on Bitly’s blog that disclosed the incident provides few details. It is unclear if the credentials were accidentally leaked or if someone took action to obtain them.
“We have no indication at this time that any accounts have been accessed without permission,” the company’s CEO Mark Josephson said in the post. “We have taken steps to ensure the security of all accounts, including disconnecting all users’ Facebook and Twitter accounts. “
Users might see their Facebook and Twitter accounts connected to their Bitly account, but it is not possible to publish to these accounts until users reconnect their Facebook and Twitter profiles. Users can reconnect these accounts the next time they sign on.
Update:
Bitly officials have disclosed more details.
Passwords were accessed by hackers. But the credentials were encrypted. Investigators have traced the breach back to an employee’s compromised account.
The Bitly security team first learned of a potential incident from a security team at another technology company. After further investigation, Bitly determined an intruder had penetrated an employee’s account, which contained credentials for accessing offsite database backup storage. .
Bitly’s security team “observed that we had an unusually high amount of traffic originating from our offsite database backup storage that was not initiated by Bitly,” officials said. “We audited the security history for our hosted source code repository that contains the credentials for access to the offsite database backup storage and discovered an unauthorized access on an employee’s account. “
Bitly officials did not say how the employee’s account was compromised.
ThreatWatch is a regularly updated catalog of data breaches successfully striking every sector of the globe, as reported by journalists, researchers and the victims themselves.