If you have an account with the URL-shortening service Bitly you should read the “urgent security update” they have just published.
Bitly says it has reason to believe that its systems have been compromised, and account credentials could have fallen into the hands of hackers. However, the company says it doesn’t presently have any evidence that accounts have been accessed without proper authorisation.
We have reason to believe that Bitly account credentials have been compromised. We have no indication at this time that any accounts have been accessed without permission. For our users’ protection, we have taken proactive steps to ensure the security of all accounts, including disconnecting all users’ Facebook and Twitter accounts. All users can safely reconnect these accounts at their next login.
Something of a mystery remains about what happened. Bitly is currently declining to explain how it determined that the privacy of customer accounts had been breached, or what went wrong.
Furthermore, no details are shared regarding precisely what information the hackers might have got their hands on. For instance, if passwords were compromised were they in plaintext or hashed? If they were hashed, was it done securely with salting and other techniques to make it trickier for hackers to crack them?
Access to Bitly accounts might be attractive to criminals, because many are connected with users’ Facebook and Twitter profiles, opening the potential door for sending spam links and scam campaigns via the service. However, Bitly hasn’t confirmed if this has occurred and – in fairness to the service – it normally does a good job of blocking access to malicious links once they are reported to them.
What Bitly is happy to share, however, are instructions on what users should do next: reset your OAuth tokens, API key and password and then reauthorise any connected applications (such as Facebook and Twitter).
Following are step-by-step instructions to reset your API key and OAuth token:
1) Log in to your account and click on ‘Your Settings,’ then the ‘Advanced’ tab.
2) At the bottom of the ‘Advanced’ tab, select ‘Reset’ next to ‘Legacy API key.’
3) Copy down your new API key and change it in all applications. These can include social publishers, share buttons and mobile apps.
4) Go to the ‘Profile’ tab and reset your password.
5) Disconnect and reconnect any applications that use Bitly. You can check which accounts are connected under the ‘Connected Accounts’ tab in ‘Your Settings.’
Many Bitly users are believed to have connected their accounts to their social media presences on the likes of Facebook and Twitter, but users will not be able to publish via Bitly to those sites until their profiles have been reconnected following the advice above.
It goes without saying that if you were using the same password for Bitly as any other website, you are playing a dangerous game. Change your password on Bitly, and choose new, different passwords for any other website or service where there is a risk that the same password could be used to open other parts of your online life.
Bitly’s CEO, Mark Josephson, signs off the advisory with an apology and a claim that the service takes security seriously:
We take your security and trust in us seriously. The team has been working hard to ensure all accounts are secure. We apologize for any inconvenience and we will continue to update our Twitter feed, @Bitly, as we have any further updates.
My hope is that Bitly will update its advisory in the near future with clearer information which will either put users’ minds at rest, or galvanise them into taking swifter action to protect themselves online.
Author Graham Cluley, We Live Security