Bitly, a site that shortens URLs to make sharing on social media easier, announced yesterday that its accounts have been compromised and that users need to change their passwords in addition to a few other steps to protect their privacy. Even though Bitly hasn’t found evidence of unauthorized access, it disconnected Facebook and Twitter accounts preemptively so that no one else can publish to these sites through Bitly. users will need to reconnect their social media accounts to start using them again.
Facebook, Twitter credentials preemptively invalidated
“We have reason to believe that Bitly account credentials have been compromised. We have no indication at this time that any accounts have been accessed without permission,” Bitly wrote in a blog post. “Please take the following steps to secure your account: change your API key and OAuth token, reset your password, and reconnect your Facebook and Twitter accounts.”
Bitly says that it has secured all paths that led to the compromise, but hasn’t explained what caused the problem in the first place or how it was discovered. Hopefully more information will become available once their security team is satisfied that there’s no more danger of the exploit, or a related attack, being used.
Bitly backs up URL shortener with brand management tools
You don’t have to have an account with Bitly to shorten URLs, there’s a tool that anyone can use right at the top of their home page, and a free account offers some additional benefits, but the company’s business model is based on selling its enterprise brand management package.
The full version of Bitly lets companies create custom short URLs, including a branded short domain, but it’s also a web analytics tool. Since the company is handling your links it can determine where your traffic comes from, which campaigns are working, and organic sharing of your links. At $995 per month, this package isn’t cheap and it’s not exactly targeting social media savvy individuals or small businesses. Finding out that the accounts have been compromised could reveal marketing data that companies would rather keep to themselves. Even more dangerous, if unauthorized users were able to publish links on a major company’s Twitter or Facebook account it wouldn’t be that difficult to seriously embarrass the company.
It’s also possible that a compromised account could reveal payment information for Bitly’s clients, but from the blog post it seems that wasn’t the case.
