Confusion reigns after Bitly data breach

URL link shortening service Bitly has asked its users to change passwords and their API key and OAuth token after revealing that some user accounts have been compromised. But precise details on the attack have not been made public.

Exclusive: Bitly hit by DDoS attack
Exclusive: Bitly hit by DDoS attack

In a blog post published earlier today, CEO Mark Josephson detailed that Bitly account details had been compromised, and said that the company had chosen to disconnect all users' social media (Facebook and Twitter) log-ins in a bid to prevent any further damage.


“We have reason to believe that Bitly account credentials have been compromised. We have no indication at this time that any accounts have been accessed without permission,” wrote Josephson, a hint perhaps that details had been leaked from inside the company.


Josephson added that users would be able to reconnect to their Facebook and Twitter accounts at next login, and further advised users to reset any other connecting applications by going to ‘Connected Accounts' under ‘Your Settings'.


Bitly's PR team didn't respond to SC questions on the nature of the breach, or the accounts that had been affected, instead directing us to the company's blog post and social media accounts. “We'll be making more updates via Twitter,” said a company spokesman via email.


And at this point the motive and tools used in the attack are rather unclear, despite Bitly posting the following, statement on its blog post: “We have already taken proactive measures to secure all paths that led to the compromise and ensure the security of all account credentials going forward.” 

 

Independent security researcher Graham Cluley admitted that Bitly's lack of communication on the details of the attack are worrying.

"Something of a mystery remains about what happened. Bitly is currently declining to explain how it determined that the privacy of customer accounts had been breached, or what went wrong," he wrote on a blog post.

"Furthermore, no details are shared regarding precisely what information the hackers might have got their hands on. For instance, if passwords were compromised were they in plaintext or hashed? If they were hashed, was it done securely with salting and other techniques to make it trickier for hackers to crack them?"

This isn't the first security incident for Bitly - which claims to shorten one billion links per month. As SCMagazineUK.com reported exclusively at the time, the URL shortening service was down for hours after a distributed-denial-of-service (DDoS) attack in February (the company stressed that no data was compromised), and faced a similar spate of attacks just a month later.

 

Forrester information security analyst Andrew Rose told SCMagazineUK.com that the earlier DDoS attack could have been a 'smokescreen' for a larger attack.

 

"The Bitly DDOS attack earlier in the year could well have been 'smokescreen' attack which obscured more malicious activity," he said, noting the recent Neustar survey which showed that 55 percent of DDoS attacks were also victims of data or IP theft.

"Bitly's use of the word "proactive" in their response is a little disingenuous, they are in a reactive situation brought about by a security failure, and one in which their customer communications are as brief as their URLs, and that's not a good thing."

IOActive Lab CTO Cesar Cerrudo  told SCMagazineUK.com that, while unlikely, it is possible that the data breach is tied to the earlier DDoS atttacks.


"A DDoS attack is very different than a security compromise and requires different skillset to deliver the attack,” said Cerrudo. “For example, a DDoS attack doesn't require a lot of skills to do. However, the attacks could possibly be from multiple different sources or maybe the same attackers have succeeded with the compromise/breach after a lot of trying.”


He added that Bitly may have become a target if they banned or blocked malicious hackers from using the service, while another line of thinking is that Bitly may have been targeted as it is used by a number of big companies - including the New York Times and Pepsico - for customised shortened links.


Quocirca analyst Bob Tarzey stated that it is hard to say why the shortening service has been attacked.


“The question that must always be asked is why? When it comes to Bitly that is a hard question, as the micro URL service could have dealings with all sorts of players on the internet on either side of the good-bad divide,” he told SCMagazineUK.com.


“With regards to the breach – it is not clear to me how a cyber-criminal would gain financially from accessing a given organisation's Bitly account, the stolen identity in any such case may lead them somewhere else useful. Hacktivists may have better reasons for doing so, being able to poison a brand by changing stuff behind the scenes etc."


He added on the previous DDoS attacks. "So maybe the DDoS attack was someone who took umbrage. That said, it could just be someone demoing their DDoS capability to a potential client – “look how well it works against a well-known site – we could do the same for you.”