In a blog post published late on Friday, company CTO Rob Platzer ran through how hackers compromised accounts last Thursday, providing refreshing insight on the method of the attack, and the new security measures employed by the New York-based firm.
The company says that its security team was informed of a data breach by an unnamed technology company on Thursday evening. At the time, there were fears of hackers having gained access to the production user database or other production users, but Bitly was keen to stress that they were instead able to compromise the firm's offsite database backup storage.
Platzer wrote that an unusually high volume of traffic was originating from the database, and added this was not initiated by the firm. Instead, he says that hackers had gained access by compromising a staff member's account. Further details on how they did this have not been disclosed.
The group has stressed that all passwords were salted and hashed (new or existing users who changed passwords after January 8 had their passwords converted from salted MD5 to hashed with Bcrypt and HMAC using a ‘unique salt'), and says that while hashed passwords were exposed, plain text versions were not.
As a result - and as detailed by SCMagazineUK.com at the time, the company immediately invalidated Facebook and Twitter credentials and forced internal password changes to ensure user security. Two-factor authentication has also been enabled for Bitly accounts on the source code repository, company-wide and at third-party services. End users, though, won't have this facility just yet, although Bitly says that it is working on “accelerated development” of two-factor authentication for Bitly.com.
Additional security measures employed included rotating SSL certificates, new credentials and “detailed logging” for offsite storage systems, while work is ongoing to notify users of password changes by email. The iPhone app now supports updated OAuth tokens, while executives have urged users to change both their API key and OAuth tokens.
For all these changes, however, Bitly is adamant that no user details have been taken as a result of the data breach.
“The production database was never compromised nor was there any unauthorised access to our production network or environment,” reads the blog post. “The data was from an offsite static backup. There was no risk of any data, including redirects, being changed.”
The company's original blog post revealed the extent of the breach: “We have reason to believe that Bitly account credentials have been compromised; specifically, users' email addresses, encrypted passwords, API keys and OAuth tokens. We have no indication at this time that any accounts have been accessed without permission.”
Lamar Bailey, director of security R&D at Tripwire, praised the company for being transparent about the attack.
“Bitly has done a great job documenting what happened and what steps they have taken to since the breach,” he told SCMagazineUK.com.
“I would like to see more companies do this, it is a good testimonial to having a security incident response plan and putting it into action. Far too many companies have a incident response plan that was written but is not reviewed and amended so when an incident occurs, it is all but useless since it is out of date and no one knows how to follow it.”
However, Forrester analyst Andrew Rose reserved his praise somewhat. He reiterated that the earlier DDoS attacks may have been a ‘smokescreen' for bigger attacks, and was less than impressed with Bitly's remediation tactics.
“Reading Bitly's comments today, two things jump out - Bitly's comments about "immediately enabling two factor authentication" for a remote data store, suggests that their remote access methodologies were simple ID and password. This is a vulnerable state to be in and one which has ultimately come back to haunt them,” Rose told SCMagazineUK.com.
“Similarly, when they checked the logs they "discovered an unauthorised access" record; had logging and alerting been operating effectively, this inappropriate access record could have been noticed much earlier.”
Rose added: “It's easy to criticise, however many firms struggle with the volume and complexity of managing logs to identify security incidents. I'm less sympathetic, however, about the absence to two factor authentication for an important remote data site.”