Bitly breached, gives (shortened) details to customers on blog

Filed Under: Data loss, Featured, Privacy, Security threats

Popular URL shortener Bitly is the latest cloud service to say, "Er, looks like crooks have been wandering around in our network."

Users logging in today will see a warning at the top of the sign-in page:

I wish I could report on what happened, and offer you some advice on what the impact might be.

Sadly, however, Bitly has made its breach notification as brief and opaque as the URLs its service generates.

If you visit the link on the sign-in page, this is all you will see by way of explanation:

We have reason to believe that Bitly account credentials have been compromised. We have no indication at this time that any accounts have been accessed without permission. For our users’ protection, we have taken proactive steps to ensure the security of all accounts, including disconnecting all users’ Facebook and Twitter accounts. All users can safely reconnect these accounts at their next login.

There are several things that seem to be missing here:

• What actually got stolen?

Reading that "account credentials have been compromised" leads me to assume the worst: that usernames and passwords, or at least the raw data fields needed to effect a login, were stolen, and that other personal information associated with each account was taken as well.

So, what did the crooks get hold of?

Cleartext passwords? Hashed passwords? If they were hashed, how well? What other information makes up "account credentials" in Bitly's vocabulary?

• How easy will it be to abuse the stolen credentials?

So far, no accounts seems to have been abused, which is good to know.

But is this a technical consequence of how the credentials were stored, meaning they are hard to abuse, or simply that the crooks haven't got around to using them yet?

Without information on what was stolen, and how it fits into the authentication process, it's impossible to to decide if this claim reflects that Bitly has additional defences that make the stolen data less useful, or if it's just a matter of "we've all been lucky so far."

A bit more openness and clarity here would be very helpful.

• What if you haven't linked Facebook or Twitter accounts to Bitly?

If you're relying on a plain old login at the sign-in page shown above, what do you need to do? Should you change your password?

Should you be expecting a prompt advising you to change it? Will you be forced to do so as soon as you log in? (And if not, why not?)

A bit more clarity, and some technical details, would be very handy.

What to do?

Intriguingly, Bitly couldn't resist adding a self-congratulatory paragraph near the end of the notification:

We have already taken proactive measures to secure all paths that led to the compromise and ensure the security of all account credentials going forward.

Just a quick note to Bitly's wordsmiths: closing the stable door after the horse has bolted is not, by any stretch of the English language, a "proactive measure."

Oh, and it's probably not worth signing off with:

We take your security and trust in us seriously.

These words are at best pleonastic, because your users are entitled to assume that you take security seriously; it shouldn't need to be touted as a feature.

And they are at worst disingenuous, at least when you are writing about an incident in which you didn't take your users' security seriously enough.

My recommendations:

  • If you've connected your Twitter or Facebook accounts to Bitly, follow Bitly's instructions carefully.
  • If you use regular username/password logins to Bitly, change your Bitly password.
  • If you have used your Bitly password on any other site, change that password too, and DON'T SHARE PASSWORDS AGAIN.
  • If you have a breach to disclose, don't tell me how seriously you take security; instead: be clear, be open, and apologise.

Oh, and to Bitly: 2BRIEF, PLSXPAND.

, , , ,

You might like

4 Responses to Bitly breached, gives (shortened) details to customers on blog

  1. Mike · 518 days ago

    "ensure the security of all account credentials." I guess we can assume that means they're guaranteeing that account credentials can never be stolen again. Interesting how companies word their notices. I wonder how they achieve such perfect security?

  2. Laurence Marks · 518 days ago

    Paul, just a guess, but I theorize that bitly connected the user's account (ID/password info) to his Facebook/Twitter account with a simple database key relating two tables.

    Suppose both tables appear to have been compromised. The straightforward recovery is to wipe all the Facebook/Twitter info and maintain the ID and properly hashed and salted passwords. When the user logs in to reconnect to social networking, a new key is established and a new record made in the Facebook/Twitter table.

    Reading backward from what they have requested of the users, this seems to have been what happened.

    By the way, is there anyone besides me concerned by the fact that this domain,, is registered in Libya? Why support a hostile administration, even if it's only for $9.00 per year?

  3. Andrew Ludgate · 518 days ago

    "closing the stable door after the horse has bolted is not, by any stretch of the English language, a 'proactive measure.'"

    Sure, this is a reactive measure, not a proactive one, and it's a badly worded breach notice; but neither is the horse metaphor apt: this is more like closing the paddock gate after a wolf has run off with some of your (customer's) sheep. Closing the gate still keeps the rest of the wolves out and protects any sheep that may still be left.

    Of course, the reactive steps do nothing to ensure account credential security; they just close the gate that was left open. I hope they're doing a complete security audit on top of this, and that they eventually tell us exactly what steps they've taken.

    Oh yes, and I'll repeat the mantra for those who didn't take it seriously enough when Paul said it:


    • Paul Ducklin · 517 days ago

      Who said there was only one horse in the stable :-)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog