Bitly Data Breach Hits Facebook, Twitter Users

Credit: Bitly

(Image credit: Bitly)

The URL-shortening service Bitly has suffered a data breach, and the collateral damage has spread to include Facebook and Twitter accounts.

"We have reason to believe that Bitly account credentials have been compromised," wrote Mark Josephson, CEO of New York-based Bitly, in a blog posting yesterday (May 8). "We have no indication at this time that any accounts have been accessed without permission."

MORE: Scariest Security Threats Headed Your Way: Special Report

Because Bitly is among thousands of websites that let users log in with Facebook or Twitter credentials, anyone who did so is urged to change their Facebook or Twitter passwords.

"For our users' protection, we have taken proactive steps to ensure the security of all accounts, including disconnecting all users' Facebook and Twitter accounts," the Bitly blog posting said. "All users can safely reconnect these accounts at their next login."

Facebook and Twitter use the login-proxy service OAuth to extend their authentication credentials to Bitly, so Bitly's servers don't store the actual passwords to accounts on those services. However, an attacker who got the OAuth tokens could still use them to access Facebook or Twitter accounts, at least temporarily.

"Please take the following steps to secure your account: change your API key [another form of proxy credentials] and OAuth token, reset your password, and reconnect your Facebook and Twitter accounts," Josephson writes.

Josephson didn't include any information about how many Bitly users might be affected, what exactly was compromised or whether or how user passwords had been protected by one-way hashes. Nor did he say whether user passwords had been reset.

If you have an account directly with Bitly, it's probably best to change that password immediately.

Bitly, a privately held company, doesn't disclose the number of its registered users, but does say it "shortens more than 1 billion links per month." Presumably, many of those come from casual users without Bitly accounts.

Josephson's blog posting includes fairly involved steps to take to reset the OAuth tokens and API keys using Bitly's own site:

"1) Log in to your account and click on 'Your Settings,' then the 'Advanced' tab.

2) At the bottom of the 'Advanced' tab, select 'Reset' next to 'Legacy API key.'

3) Copy down your new API key and change it in all applications. These can include social publishers, share buttons and mobile apps.

4) Go to the 'Profile' tab and reset your password.

5) Disconnect and reconnect any applications that use Bitly. You can check which accounts are connected under the 'Connected Accounts' tab in 'Your Settings.'"

Bitly's own registration page asks only for a username, email address and password, so the extent of what might be disclosed from a native account is limited — as long as the user didn't re-use the same password elsewhere.

But anyone who's ever signed into Bitly using a Twitter or Facebook account will want to heed Josephson's advice.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.