Back on May 8, popular URL-shortening service Bitly admitted that its systems were compromised. As it turns out, Bitly has now disclosed that the problem is just the latest example of an insider compromise.
“We audited the security history for our hosted source code repository that contains the credentials for access to the offsite database backup storage and discovered an unauthorized access on an employee’s account,” Rob Platzer, CTO of Bitly, wrote in a blog post.
Precisely, how the employee’s account was compromised is unclear. What is particularly interesting is the Bitly response to the compromise.
“We immediately enabled two-factor authentication for all Bitly accounts on the source code repository and began the process of securing the system against any additional vulnerabilities,” Platzer said.
Two-factor authentication is a technology I have long advocated should be widely deployed. With two-factor authentication, a second password (or factor) is needed to log in to a site or service. What two-factor authentication provides, in one stroke, is risk mitigation against an attacker that is able to compromise a single password system.
I often think of two-factor authentication as being just about users. It’s important to remember that employees and internal staff are users, too, and need to be secured in a robust manner.
While we don’t know exactly how the Bitly employee account was compromised, what is clear from my perspective is that employees remain weak links in security. Many organizations have spent time and money securing their enterprises from external threats, but don’t have the same rigor in place internally.
What’s also particularly interesting about the Bitly attack is that the company did not discover the attack on its own.
“On May 8, the Bitly security team learned of the potential compromise of Bitly user credentials from the security team of another technology company,” Platzer said.
It’s not uncommon today for security threats to be reported by third-party researchers, but it does beg the question why Bitly didn’t see it first.
The bottom line is that security is complex and there are multiple layers required to secure an organization. Two-factor authentication is one solid approach that can be effective at mitigating risk. In the Bitly example, apparently no real harm was done and end users were not really affected. Nonetheless, this example should once again serve as yet another wake-up call to organizations of all sizes to secure both internal and external users.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.