Link shortening service Bitly said this weekend the breach that hit the firm last week was due to employee credentials being stolen, which gave access to the firm’s offsite database backup.
The keys to the backup were stored in a “hosted source code repository”, which was also compromised.
Initially, Bitly was accused of being opaque in detailing the breach, but has since offered more information to appease angry users.
“We had an unusually high amount of traffic originating from our offsite database backup storage that was not initiated by Bitly. At this point, it was clear that the best path forward was to assume the user database was compromised and immediately initiate our response plan, which included steps to protect our users’ connected Facebook and Twitter accounts,” explained Rob Platzer, chief technology officer at Bitly, in a blog post.
“We audited the security history for our hosted source code repository that contains the credentials for access to the offsite database backup storage and discovered an unauthorized access on an employee’s account.
“We immediately enabled two-factor authentication for all Bitly accounts on the source code repository and began the process of securing the system against any additional vulnerabilities.”
Those who signed up after 8 January are likely better protected, as their passwords were hashed with BCrypt and HMAC using a unique salt. Before that, they were salted with MD5, which has known weaknesses.
A hash algorithm changes the password into a string of bits, known as the cryptographic hash value. A salt adds random data as an input to that hashing process, making it trickier for hackers to brute force (guess) a password.
What do you know about Internet security? Find out with our quiz!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…
View Comments
The online world is most certainly not hack proof. This story illustrates a more traditional approach to getting on the inside. Interesting.
On a different note, whenever your readers do need a safe offsite Cloud solution, visit LogicWorks. Take the time to read the case studies to learn about the solutions they developed for specific companies. They are very capable.
Interesting post.