URL Shortener Bitly Suffers Security Breach

Last week, Bitly, a popular URL shortening service, announced a breach in security. The breach compromised user data—including emails, passwords, API keys and OAuth tokens. Though Bitly CEO Mark Josephson stated he doesn’t believe user accounts were accessed without permission, this could change if users do not act quickly to change their account credentials.

The reasons behind the attack aren’t clear. Perhaps someone simply wished to probe one of the more useful services out there for the fun of it. Maybe a hacker wanted to compromise the service for future endeavors. Regardless of the perpetrator’s intentions, the result is the same: users need to reset their passwords, and if you’ve linked Facebook or Twitter to a Bitly account, you’ll have to reset your OAuth tokens as well.

What are OAuth tokens, you ask? OAuth (which I discussed in my blog on the “Covert Redirect” vulnerability earlier this month) is used to connect a service to social media accounts because it authenticates that user’s identity (through either Facebook, Twitter, Google+ or another service). Through its tokens, OAuth acts as a sort of Internet passport—allowing users to jump from one point to another without needing to sign in at each new destination.

After discovering that OAuth tokens had been compromised, Bitly disconnected all accounts linked to Facebook and Twitter. Those users will have to go back and reset their tokens in order to preserve their online identity. Resetting your OAuth token can be intimidating, but Bitly has provided a five-step guide for users to follow.

In addition to the frustrations of resetting logins, the OAuth compromise on Bitly could have some serious consequences. Phishing attacks, where hackers attempt to trick victims into surrendering sensitive information, rely largely on the trustworthiness of a user. Gaining access to an online identity through an OAuth token is valuable as hackers who share links from compromised accounts have a good chance at duping the user’s friends into clicking on a link seemingly sent from that person. Hackers also have a need to disguise malicious links, which Bitly has the capacity to do by shortening URLs into a masked form (i.e. changing ww2.maliciouswebsite101.net/malware to bit.ly/45eZ2ty6). And using Bitly, hackers can easily post those compromised links to multiple accounts all at once.

Thankfully, Bitly is doing everything they can to fix the situation.

So what can you do if you use Bitly? Well, there are a few options:

  • Change your passwords. I’ve discussed what constitutes a good password before, but it bears repeating. You should use a unique password for each site you use. Your passwords should be at least 14 characters in length and use a combination of upper and lowercase letters, numbers and symbols. For more information on how to create strong passwords and protect them visit: www.passworday.org.
  • Enable two-factor authentication. Two-factor authentication is a security technique that requires users to possess two things: something they know (like a password), and something they have (like a mobile phone). The use of two-factor authentication can drastically cut down on the likelihood of a hacker stealing your identity. If you have the opportunity to use two-factor authentication, use it.
  • Think twice before granting third party apps access to your account.  I wrote last August about the trouble with allowing third-party access to your social media accounts. When given the option to “Sign in with Facebook” (or any other email or social media provider), consider the consequences carefully. Not all third-party apps that request this access have the best security processes in place, which may allow for your account to be compromised.
  • Use anti-phishing protection. McAfee® SiteAdvisor®, which comes with McAfee LiveSafe™ service, provides color-coded ratings on the safety of your browser’s search results and external links found in your Facebook, Google+ and LinkedIn streams when viewing from your PC or Mac. As well, when used on a mobile device, PC, or Mac, McAfee SiteAdvisor also provides a warning message after you click, but before taking you to a site, if the link appears harmful. If you do not have McAfee LiveSafe, you can still take full advantage of McAfee SiteAdvisor by downloading it for free, here.
  • Use comprehensive security on all your devices. Threats come from all directions. Security has to too. With McAfee LiveSafe, you’re provided with the most comprehensive security services, working 24/7 to protect your data, identity and devices (including PCs, Macs, smartphones, and tablets) from dangerous websites and malware.

And, of course, stay on top of the latest consumer and mobile security threats by following @McAfeeConsumer on Twitter and Like us on Facebook.

Gary Davis

Leave a Comment

eleven + 3 =