After data breach, Bitly enables 2-factor authentication

Following a data breach discovered last week, URL shortening service Bitly has enabled two-factor authentication to protect its account holders.

 

In a blog post, Bitly chief technology officer Rob Platzer also said they traced the compromise to an unauthorized access to the account of one of the company's employees.

 

"We immediately enabled two-factor authentication for all Bitly accounts on the source code repository and began the process of securing the system against any additional vulnerabilities," Platzer said.

 

He added an audit of the security history for Bitly's hosted source code repository, which contains the credentials for access to the offsite database backup storage, showed the unauthorized access on an employee’s account.

 

Platzer added the Bitly security team learned of the potential compromise of Bitly user credentials from the security team of another technology company.

 

Also, he said that while hashed passwords were exposed, plain text passwords were not.

 

He added no Bitlink had been affected or changed due to the breach.

 

"The production database was never compromised nor was there any unauthorized access to our production network or environment.  The data was from an offsite static backup.  There was no risk of any data, including redirects, being changed," he said.

 

Security measures

 

In the meantime, Platzer said the company continues to work on security measures since the breach, including:

 

- Invalidated all Twitter and Facebook credentials

- Rotated all credentials for the offsite storage systems

- Enabled detailed logging on offsite storage systems

- Rotated all SSL certificates

- Reset credentials used for code deployment

- GPG encryption of all sensitive credentials

- Enforced two-factor authentication on all third-party services company-wide

- Accelerated development to support two-factor authentication for bitly.com

- Accelerated development for email confirmation of password changes

- Added additional audit details to user security pages

- Enabled detailed logging on offsite storage systems

- Updated iPhone App to support updated OAuth tokens

 

— Joel Locsin, ELR, GMA News