Link shortening service Bitly said this weekend the breach that hit the firm last week was due to employee credentials being stolen, which gave access to the firm’s offsite database backup.
The keys to the backup were stored in a “hosted source code repository”, which was also compromised.
Initially, Bitly was accused of being opaque in detailing the breach, but has since offered more information to appease angry users.
“We had an unusually high amount of traffic originating from our offsite database backup storage that was not initiated by Bitly. At this point, it was clear that the best path forward was to assume the user database was compromised and immediately initiate our response plan, which included steps to protect our users’ connected Facebook and Twitter accounts,” explained Rob Platzer, chief technology officer at Bitly, in a blog post.
“We audited the security history for our hosted source code repository that contains the credentials for access to the offsite database backup storage and discovered an unauthorized access on an employee’s account.
“We immediately enabled two-factor authentication for all Bitly accounts on the source code repository and began the process of securing the system against any additional vulnerabilities.”
Those who signed up after 8 January are likely better protected, as their passwords were hashed with BCrypt and HMAC using a unique salt. Before that, they were salted with MD5, which has known weaknesses.
A hash algorithm changes the password into a string of bits, known as the cryptographic hash value. A salt adds random data as an input to that hashing process, making it trickier for hackers to brute force (guess) a password.
What do you know about Internet security? Find out with our quiz!
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…
Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…
Explore the future of work with the Silicon In Focus Podcast. Discover how AI is…
Executive hits out at the DoJ's “staggering proposal” to force Google to sell off its…
View Comments
The online world is most certainly not hack proof. This story illustrates a more traditional approach to getting on the inside. Interesting.
On a different note, whenever your readers do need a safe offsite Cloud solution, visit LogicWorks. Take the time to read the case studies to learn about the solutions they developed for specific companies. They are very capable.
Interesting post.