Link shortening service Bitly, is implementing two-factor authentication to secure user accounts following a breach last week. Bitly was alerted to a possible compromise of user credentials by a security team from another company upon which its production user database as well as production network and servers were combed for signs of having been hacked into.
A lot of unexpected traffic seemed to be originating from the Bitly offsite database backup storage and this was found to have been the hotspot. The company claims to have then deployed two-factor authentication for all accounts in the source code register. User email IDs, encrypted passwords, API keys and OAuth tokens amongst other details were said to have been compromised.
Bitly had disconnected Facebook and Twitter profiles in response to the emergency and is now asking people to change their API key, OAuth token and password before hooking up their account to either of these social networks once again. The company’s iPhone app has been refreshed to accommodate updated OAuth tokens and there are detailed instructions for all users who need help with securing their accounts here.
The developers at Bitly have been working hard to make the necessary security upgrades to the website. They have turned on detailed logging on offsite storage systems, made two-factor authentication on all third-party services compulsory, added email confirmation of password changes to the priority list and sped up efforts to fully support two-factor authentication on the website.
Bitlinks or shortened URLs haven’t been hit by the security breach and plain text passwords were not exposed. Hashed passwords were however compromised. The passwords of Bitly users who registered, signed in or changed their password after January 8, 2014, were converted to be hashed.