In an update to a potential compromise to user accounts, URL shortening service Bitly explained that an unauthorized individual may have gained access to an offsite database backup service where user details were held.
On May 8, the “security team of another technology company” informed Bitly about the security breach of Bitly user credentials.
According to Bitly CTO Rob Platzer in a blog post, Bitly’s security team was confident no external connections were made to its production user database, and production servers and network seemed not to be accessed by unauthorized parties.
Platzer, however, wrote that the security team “observed that we had an unusually high amount of traffic originating from our offsite database backup storage that was not initiated by Bitly.”
It turns out that there’s evidence an unauthorized user accessed a Bitly employee’s hosted source code repository account which contains the credentials for the offsite database backup. This would give the unauthorized user potential access to the offside database.
Platzer wrote, “We immediately enabled two-factor authentication for all Bitly accounts on the source code repository and began the process of securing the system against any additional vulnerabilities.”
Believing that it’s likely the user database was compromised, the company began taking steps to protect users who have their Facebook and Twitter accounts connected. Some of these measures included rotating all SSL certificates and all credentials for offsite storage systems, collecting detailed logs of its offsite storage systems, invalidating all Twitter and Facebook credentials, and enforced two-factor authentication on all third-party services.
The company is also working to add two-factor authentication for bitly.com and email password change confirmation. Two-factor authentication is becoming something that many web hosts are offering as a means to beef up security and protect user accounts. Recently, SingleHop launched multi-factor authentication.
As Bitly ratchets up its security, it serves as a reminder that the credentials to third-party services which must be handled very securely within an organization. Third-party service security can be a potential liability for a service provider, but one shouldn’t forget that login credentials can hand over access to a hacker very easily.