Users of the ubiquitous URL shortener Bitly may have noticed they had problems posting links on their Facebook and Twitter over the weekend. The problem wasn’t a glitch in the system, but rather the reaction to a major security scare the service had last week. Out of concern that the company had “reason to believe that Bitly account credentials have been compromised,” as the company stated In an “urgent security update”, the service disconnected all users’ Facebook and Twitter accounts from its service as a proactive measure to protect their private information.
Not much is publicly known about the breach but the alert noted that there was a possibility that “users’ email addresses, encrypted passwords, API keys and OAuth tokens” could have been compromised. The ramifications of such a breach expand beyond the Bitly site itself because those credentials are what Bitly uses to connect user accounts and third-party sites, like Facebook and Twitter, where Bitly links are often shared.
“We have no indication at this time that any accounts have been accessed without permission,” he wrote in the security update. “For our users’ protection, we have taken proactive steps to ensure the security of all accounts.”
Now that Bitly has disconnected all accounts, users will have to reauthorize them before they can post links to them. Bitly has said its safe for users to reconnect their accounts using the following steps for security.
Log in to your account and click on ‘Your Settings,’ then the ‘Advanced’ tab.
At the bottom of the ‘Advanced’ tab, select ‘Reset’ next to ‘Legacy API key.’
Copy down your new API key and change it in all applications. These can include social publishers, share buttons and mobile apps.
Go to the ‘Profile’ tab and reset your password.
Disconnect and reconnect any applications that use Bitly. You can check which accounts are connected under the ‘Connected Accounts’ tab in ‘Your Settings.’
Bitly has been less than forthcoming with details about what happened. Security consultant Graham Cluey noted that by not explaining how the breach is suspected to have happened, there is a lot that remains unknown to the general public.
“For instance, if passwords were compromised, were they in plaintext or hashed?” he mused in a recent blog post. “If they were hashed, was it done securely with salting and other techniques to make it trickier for hackers to crack them?”
The potential harm of the breach ranges from mild annoyance to major headache depending on the user. Prior to disconnecting all of the accounts, users who had linked their Bitly to their Facebook and Twitter accounts could have had their accounts used for spam. If password data was stolen and hacked (which the heartbleed vulnerability reminds us is very possible), then users who have the same password for multiple sites have additional things to worry about.
To be fair, there is no indication this has happened or that any information was taken,a s was noted above. But the mystery surrounding what specifically happened that caused Bitly to issue the alert, how long was the issue active before the company took action, and were there any delayed reports of trouble caused by the issue (things unknown at the time of the original press conference but discovered later), mean that users of the platform need to take all necessary precautions.