Bitly Attacked, Advises Users to Reset Accounts
The CEO of Bitly publicly admitted on May 8 that the company's URL-shortening service was compromised.
Bitly CEO Mark Josephson blogged that compromised credentials include users' email addresses, encrypted passwords, API keys and OAuth tokens. OAuth tokens are used to connect a Bitly account to identity systems from Facebook and Twitter for user access.
The Bitly service is widely used on the Web and on social media sharing services as a way to provide users with short links for longer Web addresses. The privately held firm shortens a billion links per month.
Though Bitly admits to being compromised, company officials said they are not aware of user accounts being accessed without permission. That said, Bitly is taking measures to limit the risk.
"For our users' protection, we have taken proactive steps to ensure the security of all accounts, including disconnecting all users' Facebook and Twitter accounts," Josephson said. "Although users may see their Facebook and Twitter accounts connected to their Bitly account, it is not possible to publish to these accounts until users reconnect their Facebook and Twitter profiles."
Josephson advises Bitly users to now log in to their accounts and reset the required OAuth token to connect and enable access from Facebook and Twitter.
While Bitly users can choose to sign up for a Bitly account and have that account connected to Facebook and Twitter, that's not the only method they can use Bitly to shorten a link. On the Bitly.com site, there is an interface that enables anyone to shorten a single link without the need to sign up for an account or to connect via Facebook or Twitter. Having a Bitly account, however, does provide users with additional features for link tracking.
Bitly also enables users to create an account with a username and password that is not linked to the user's Facebook or Twitter accounts.
Although there is no public indication currently of how the compromise may have occurred, Bitly is reassuring its users that the service is now secure. "We have already taken proactive measures to secure all paths that led to the compromise and ensure the security of all account credentials going forward," Josephson said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.