Bit.ly security breach affects Facebook, Twitter users
Posted by: Jon Ben-Mayor on 05/10/2014 06:31 AM
[
Comments
]
Bit.ly, the URL shortening service has been breached; CEO Mark Josephson confirmed via the company's blog: "We have reason to believe that Bitly account credentials have been compromised."
We invalidated all credentials within Facebook and Twitter. Although users may see their Facebook and Twitter accounts connected to their Bit.ly account, it is not possible to publish to these accounts until users reconnect their Facebook and Twitter profiles.
Following are step-by-step instructions to reset your API key and OAuth token:
1) Log in to your account and click on ‘Your Settings,’ then the ‘Advanced’ tab.
2) At the bottom of the ‘Advanced’ tab, select ‘Reset’ next to ‘Legacy API key.’
3) Copy down your new API key and change it in all applications. These can include social publishers, share buttons and mobile apps.
4) Go to the ‘Profile’ tab and reset your password.
5) Disconnect and reconnect any applications that use Bit.ly. You can check which accounts are connected under the ‘Connected Accounts’ tab in ‘Your Settings.’
We have already taken proactive measures to secure all paths that led to the compromise and ensure the security of all user data going forward.
We have a number of projects remaining to continue to add layers of security, but here are some of the things we have done since the breach and are continuing to work on:
-Invalidated all Twitter and Facebook credentials
-Rotated all credentials for our offsite storage systems
-Enabled detailed logging on our offsite storage systems
-Rotated all SSL certificates
-Reset credentials used for code deployment
-GPG encryption of all sensitive credentials
-Enforced two-factor authentication on all 3rd party services company-wide
-Accelerated development of our work to support two-factor authentication for bitly.com
-Accelerated development for email confirmation of password changes
-Added additional audit details to user security pages
-Enabled detailed logging on our offsite storage systems
-Updated iPhone App to support updated OAuth tokens
We invalidated all credentials within Facebook and Twitter. Although users may see their Facebook and Twitter accounts connected to their Bit.ly account, it is not possible to publish to these accounts until users reconnect their Facebook and Twitter profiles.
Following are step-by-step instructions to reset your API key and OAuth token:
1) Log in to your account and click on ‘Your Settings,’ then the ‘Advanced’ tab.
2) At the bottom of the ‘Advanced’ tab, select ‘Reset’ next to ‘Legacy API key.’
3) Copy down your new API key and change it in all applications. These can include social publishers, share buttons and mobile apps.
4) Go to the ‘Profile’ tab and reset your password.
5) Disconnect and reconnect any applications that use Bit.ly. You can check which accounts are connected under the ‘Connected Accounts’ tab in ‘Your Settings.’
We have already taken proactive measures to secure all paths that led to the compromise and ensure the security of all user data going forward.
We have a number of projects remaining to continue to add layers of security, but here are some of the things we have done since the breach and are continuing to work on:
-Invalidated all Twitter and Facebook credentials
-Rotated all credentials for our offsite storage systems
-Enabled detailed logging on our offsite storage systems
-Rotated all SSL certificates
-Reset credentials used for code deployment
-GPG encryption of all sensitive credentials
-Enforced two-factor authentication on all 3rd party services company-wide
-Accelerated development of our work to support two-factor authentication for bitly.com
-Accelerated development for email confirmation of password changes
-Added additional audit details to user security pages
-Enabled detailed logging on our offsite storage systems
-Updated iPhone App to support updated OAuth tokens
Comments
