Bitly breached, gives (shortened) details to customers on blog

Popular URL shortener Bitly is the latest cloud service to say, “Er, looks like crooks have been wandering around in our network.”

Users logging in today will see a warning at the top of the sign-in page:

I wish I could report on what happened, and offer you some advice on what the impact might be.

Sadly, however, Bitly has made its breach notification as brief and opaque as the URLs its service generates.

If you visit the link on the sign-in page, this is all you will see by way of explanation:

We have reason to believe that Bitly account credentials have been compromised. We have no indication at this time that any accounts have been accessed without permission. For our users’ protection, we have taken proactive steps to ensure the security of all accounts, including disconnecting all users’ Facebook and Twitter accounts. All users can safely reconnect these accounts at their next login.

There are several things that seem to be missing here:

• What actually got stolen?

Reading that “account credentials have been compromised” leads me to assume the worst: that usernames and passwords, or at least the raw data fields needed to effect a login, were stolen, and that other personal information associated with each account was taken as well.

So, what did the crooks get hold of?

Cleartext passwords? Hashed passwords? If they were hashed, how well? What other information makes up “account credentials” in Bitly’s vocabulary?

• How easy will it be to abuse the stolen credentials?

So far, no accounts seems to have been abused, which is good to know.

But is this a technical consequence of how the credentials were stored, meaning they are hard to abuse, or simply that the crooks haven’t got around to using them yet?

Without information on what was stolen, and how it fits into the authentication process, it’s impossible to to decide if this claim reflects that Bitly has additional defences that make the stolen data less useful, or if it’s just a matter of “we’ve all been lucky so far.”

A bit more openness and clarity here would be very helpful.

• What if you haven’t linked Facebook or Twitter accounts to Bitly?

If you’re relying on a plain old login at the sign-in page shown above, what do you need to do? Should you change your password?

Should you be expecting a prompt advising you to change it? Will you be forced to do so as soon as you log in? (And if not, why not?)

A bit more clarity, and some technical details, would be very handy.

What to do?

Intriguingly, Bitly couldn’t resist adding a self-congratulatory paragraph near the end of the notification:

We have already taken proactive measures to secure all paths that led to the compromise and ensure the security of all account credentials going forward.

Just a quick note to Bitly’s wordsmiths: closing the stable door after the horse has bolted is not, by any stretch of the English language, a “proactive measure.”

Oh, and it’s probably not worth signing off with:

We take your security and trust in us seriously.

These words are at best pleonastic, because your users are entitled to assume that you take security seriously; it shouldn’t need to be touted as a feature.

And they are at worst disingenuous, at least when you are writing about an incident in which you didn’t take your users’ security seriously enough.

My recommendations:

  • If you’ve connected your Twitter or Facebook accounts to Bitly, follow Bitly’s instructions carefully.
  • If you use regular username/password logins to Bitly, change your Bitly password.
  • If you have used your Bitly password on any other site, change that password too, and DON’T SHARE PASSWORDS AGAIN.
  • If you have a breach to disclose, don’t tell me how seriously you take security; instead: be clear, be open, and apologise.

Oh, and to Bitly: 2BRIEF, PLSXPAND.