This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Bitly embraces two-factor authentication after data breach

Share this article:

Following criticism over the lack of details provided on last week's data breach, URL shortening service Bitly has finally revealed how hackers were able to compromise user accounts.

Bitly embraces two-factor authentication after data breach
Bitly embraces two-factor authentication after data breach

 In a blog post published late on Friday, company CTO Rob Platzer ran through how hackers compromised accounts last Thursday, providing refreshing insight on the method of the attack, and the new security measures employed by the New York-based firm.

The company says that its security team was informed of a data breach by an unnamed technology company on Thursday evening. At the time, there were fears of hackers having gained access to the production user database or other production users, but  Bitly was keen to stress that they were instead able to compromise the firm's offsite database backup storage.

Platzer wrote that an unusually high volume of traffic was originating from the database, and added this was not initiated by the firm.  Instead, he says that hackers had gained access by compromising a staff member's account. Further details on how they did this have not been disclosed.

The group has stressed that all passwords were salted and hashed (new or existing users who changed passwords after January 8 had their passwords converted from salted MD5 to hashed with Bcrypt and HMAC using a ‘unique salt'), and says that while hashed passwords were exposed, plain text versions were not.

As a result - and as detailed by at the time, the company immediately invalidated Facebook and Twitter credentials and forced internal password changes to ensure user security. Two-factor authentication has also been enabled for Bitly accounts on the source code repository, company-wide and at third-party services. End users, though, won't have this facility just yet, although Bitly says that it is working on “accelerated development” of two-factor authentication for

Additional security measures employed included rotating SSL certificates, new credentials and “detailed logging” for offsite storage systems, while work is ongoing to notify users of password changes by email. The iPhone app now supports updated OAuth tokens, while executives have urged users to change both their API key and OAuth tokens.

For all these changes, however, Bitly is adamant that no user details have been taken as a result of the data breach.

“The production database was never compromised nor was there any unauthorised access to our production network or environment,” reads the blog post. “The data was from an offsite static backup.  There was no risk of any data, including redirects, being changed.”

The company's original blog post revealed the extent of the breach: “We have reason to believe that Bitly account credentials have been compromised; specifically, users' email addresses, encrypted passwords, API keys and OAuth tokens. We have no indication at this time that any accounts have been accessed without permission.”

Lamar Bailey, director of security R&D at Tripwire, praised the company for being transparent about the attack.

“Bitly has done a great job documenting what happened and what steps they have taken to since the breach,” he told

“I would like to see more companies do this, it is a good testimonial to having a security incident response plan and putting it into action. Far too many companies have a incident response plan that was written but is not reviewed and amended so when an incident occurs, it is all but useless since it is out of date and no one knows how to follow it.”

However, Forrester analyst Andrew Rose reserved his praise somewhat. He reiterated that the earlier DDoS attacks may have been a ‘smokescreen' for bigger attacks, and was less than impressed with Bitly's remediation tactics.

“Reading Bitly's comments today, two things jump out - Bitly's comments about "immediately enabling two factor authentication" for a remote data store, suggests that their remote access methodologies were simple ID and password. This is a vulnerable state to be in and one which has ultimately come back to haunt them,” Rose told

“Similarly, when they checked the logs they "discovered an unauthorised access" record; had logging and alerting been operating effectively, this inappropriate access record could have been noticed much earlier.”

Rose added: “It's easy to criticise, however many firms struggle with the volume and complexity of managing logs to identify security incidents. I'm less sympathetic, however, about the absence to two factor authentication for an important remote data site.”

Share this article:

SC webcasts on demand

This is how to secure data in the cloud

Exclusive video webcast & Q&A sponsored by Vormetric

As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.

View the webcast here to find out more

More in News

Cyber security still a learning curve for most companies

Cyber security still a learning curve for most ...

Poor network visibility, outdated security tools, a skills shortage and a lack of control in the cloud are just some of the reasons companies are struggling with cyber-security, say two ...

WorldPay hacker sentenced to 11 years for role in £6 million scheme

WorldPay hacker sentenced to 11 years for role ...

An Estonian man, who helped hack payment processor RBS WorldPay in 2008, has now been sentenced to 11 years in prison for his involvement in the £5.9 (US$ 9.4 million) ...

'Sophisticated' Chinese hackers launched attacks against 43,000 computer systems

'Sophisticated' Chinese hackers launched attacks against 43,000 computer ...

A new report reveals that a Chinese cyber-espionage group is closely affiliated with government and carried out attacks against the likes of Fortune 500 companies and government agencies.