While we continue working through our response to the compromise we reported yesterday, we wanted to provide some more insight into the question of how this happened and what we have done to ensure security going forward.
On May 8, the Bitly security team learned of the potential compromise of Bitly user credentials from the security team of another technology company. We immediately began operating under the assumption that we had a breach and started the search for all possible compromise vectors.
Over the course of the next few hours, the Security Team determined with a high degree of confidence that there had been no external connections to our production user database or any unauthorized access of our production network or servers. They observed that we had an unusually high amount of traffic originating from our offsite database backup storage that was not initiated by Bitly. At this point, it was clear that the best path forward was to assume the user database was compromised and immediately initiate our response plan, which included steps to protect our users’ connected Facebook and Twitter accounts.
We audited the security history for our hosted source code repository that contains the credentials for access to the offsite database backup storage and discovered an unauthorized access on an employee’s account. We immediately enabled two-factor authentication for all Bitly accounts on the source code repository and began the process of securing the system against any additional vulnerabilities.
We have a number of projects remaining to continue to add layers of security, but here are some of the things we have done since the breach and are continuing to work on:
Invalidated all Twitter and Facebook credentials
Rotated all credentials for our offsite storage systems
Enabled detailed logging on our offsite storage systems
Rotated all SSL certificates
Reset credentials used for code deployment
GPG encryption of all sensitive credentials
Enforced two-factor authentication on all 3rd party services company-wide
Accelerated development of our work to support two-factor authentication for bitly.com
Accelerated development for email confirmation of password changes
- Added additional audit details to user security pages
Enabled detailed logging on our offsite storage systems
Updated iPhone App to support updated OAuth tokens
In addition, we’ve posted the answers to some frequently asked questions below. We’ll continue to update you here as needed.
Were passwords exposed?
Hashed passwords were exposed but plain text passwords were not. All passwords are salted and hashed. If you registered, logged in or changed your password after January 8th, 2014, your password was converted to be hashed with BCrypt and HMAC using a unique salt. Before that, it was salted MD5.
Were any of my Bitlinks affected or changed?
No. The production database was never compromised nor was there any unauthorized access to our production network or environment. The data was from an offsite static backup. There was no risk of any data, including redirects, being changed.
UPDATE #4 - MAY 11 at 11:33AM EDT: We are sending an email to all users from the domain bitlysupport.com outlining the steps to secure your account. If you have already followed the steps to secure your account, you do not need to do so again.
UPDATE #3 - MAY 9 at 2:45PM EDT: We have updated this post to address questions regarding the Bitly iPhone app.
UPDATE #2 - MAY 9 at 10:30AM EDT: We have updated this post to explain what specifically was compromised and we’re encouraging all of our users to secure their Bitly accounts by following the recommendations listed below.
UPDATE #1 - MAY 8 at 8:32PM EDT: We have updated the section of this post regarding users who have Twitter or Facebook accounts connected to their Bitly accounts.
We have reason to believe that Bitly account credentials have been compromised; specifically, users’ email addresses, encrypted passwords, API keys and OAuth tokens. We have no indication at this time that any accounts have been accessed without permission. We have taken steps to ensure the security of all accounts, including disconnecting all users’ Facebook and Twitter accounts. All users can safely reconnect these accounts at their next login.
We are recommending all Bitly users make these changes. Please take the following steps to secure your account: change your API key and OAuth token, reset your password, and reconnect your Facebook and Twitter accounts.
We invalidated all credentials within Facebook and Twitter. Although users may see their Facebook and Twitter accounts connected to their Bitly account, it is not possible to publish to these accounts until users reconnect their Facebook and Twitter profiles.
Following are step-by-step instructions to reset your API key and OAuth token:
1) Log in to your account and click on ‘Your Settings,’ then the ‘Advanced’ tab.
2) At the bottom of the ‘Advanced’ tab, select ‘Reset’ next to ‘Legacy API key.’
3) Copy down your new API key and change it in all applications. These can include social publishers, share buttons and mobile apps.
4) Go to the ‘Profile’ tab and reset your password.
5) Disconnect and reconnect any applications that use Bitly. You can check which accounts are connected under the ‘Connected Accounts’ tab in ‘Your Settings.’
We have already taken proactive measures to secure all paths that led to the compromise and ensure the security of all user data going forward.
If you’re experiencing any trouble with the Bitly iPhone app, please update to the latest version found here. We have expedited an update to address any issues.
If you have account-specific questions, you can reach us at firstname.lastname@example.org.
We take your security and trust in us seriously. The team has been working hard to ensure all accounts are secure. We apologize for any inconvenience and we will continue to update our Twitter feed, @Bitly, as we have any further updates.
“Your growth is capped only by how good you are and how hard you work.”
- Mark Josephson
Our CEO Mark Josephson sat down with Adam Bryant of The New York Times to discuss being an entrepreneur, his leadership style and the path that brought him to Bitly in this week’s Corner Office.
Learn about Mark’s strategy, what it means to lead through “input, not consensus,” and his advice for those looking to enter the tech scene. Take a look at the entire article here.
Every spring, the business and tech worlds come together for Internet Week, a week-long festival that celebrates technology’s impact on business and culture. For four years, Internet Week NY (IWNY) has opened a small number of slots in its schedule to let the public vote for what they want to see on the stage.
This year, YOU can help us ‘Make the Stage’ at IWNY! To vote, you’ll need to create an Internet Week account (don’t worry - it only takes a minute). We’ve submitted two presentations:
Move Over Marketers; Consumers are Driving Your Brand: Social media is undoubtedly the most direct way to influence an audience but brands are taking the backseat as consumers gain share-of-voice. Consumer authority on brand content is skyrocketing - particularly amongst millennials. Consumers are driving how, when and where content is shared online; they’re the marketers of today. What does this mean for brands? Our CEO, Mark Josephson, will discuss how brands can work behind the scenes to steer these next-generation brand ambassadors, leveraging the trust and spotlight consumers have already built on social media to drive marketing strategy.
Content is the Web’s New Currency: Knowing what your content does as soon as you put it out into the open web is like money in the bank. In this presentation, our CEO Mark Josephson will discuss how marketers can look at the open web as a nearly endless source of audience intelligence. How your content is received and what people do with it used to be an open question, but now the technology exists to collect information in real-time so marketing teams can attack opportunities, increase efficiency and engage directly with previously undiscovered audiences.
This post was written for the Bitly blog by our product manager, Dan Touchette.
We recently rolled out a change to Bitly regarding customized keywords and Branded Short Domains. Users who shortened a link to a company’s website were formerly able to create free Custom Keywords and pair them with that company’s Branded Short Domain, making it appear as if the link was created by the company.
Despite previously limiting this capability, users could still manually replace one of our domains with a company’s Branded Short Domain and the shortlink would redirect to the page for which it was originally created. We are now preventing users from manually replacing our domains with a branded one.
We stopped supporting this ability because we understand the importance of the relationship between a brand’s identity and their Branded Short Domain. Now, when a user customizes the back-half of a branded shortlink, the Branded Short Domain will always be replaced with ‘bit.ly,’ ‘bitly.com,’ or ‘j.mp.’
Bitly doesn’t break links. It’s not just a mantra, it’s what we do. By keeping our links permanent, we maintain the integrity of our service and our values as a company.
As a result, we have chosen to support all shortlinks that were created in this way before this change was made. Going forward, if a user manually replaces one of Bitly’s short domains with a company’s Branded Short Domain, those links will not work.
Branded Short Domains are a way for companies to promote their brand and establish trust with their users. Bitly supports companies who want to better control their brand across all of their marketing channels. By preventing the ability described above, we reduce the risk to companies’ brands and prevent the unintended use of brand signals by people who do not own them.
We’re constantly working on ways to increase our security for those who entrust us with their links. At Bitly, we work everyday to make our shortlinks even more powerful and empower those who trust us with their links to take advantage of that power.
If you are a Bitly Brand Tools user and have questions about the change, feel free to reach out directly to your customer success manager. If you’re interested in making your links more powerful with a Branded Short Domain and Bitly Brand Tools, please reach out to email@example.com.
This post was written for the Bitly blog by our CEO, Mark Josephson.
When we first started planning for this year’s SXSW, I was skeptical. It would be my second time and Bitly’s first time there as a company since my first trip to SXSW with a team back in 2009. While I had a really great time back then, it wasn’t clear to me this year how we would actually do business amidst the organized chaos that is SXSW.
Coming out of a five-day venture, it’s clear that my assumptions were way off. The conference is filled with decision makers, looking to learn how to make their business better. While it’s mixed with a lot of fun, the business being done there is undeniable.
Every year at SXSW, there are one or two companies or themes that emerge. This year, I was struck by the growth and presence of the social marketing platform.
I had the pleasure of meeting with teams from Hootsuite, Spredfast and Sprinklr, and I was blown away by all of them. Each are actively and aggressively moving to differentiate from each other, contribute to major marketing strategies and claim share for their business.
Additionally, the presence of major brands was incredibly strong. At my first SXSW experience, the Austin Convention Center was crowded with long lines of tech employees waiting to get into coveted panels. This year, representatives from all the major brands were there, actively learning and taking the initiative to further build and develop their marketing strategies.
The convergence of these two scenarios emphasized for me the role Bitly plays in the marketing ecosystem; we’re the connector. Or, to put it in Bitly terms, we are the link.
Just like we link users to their audiences and publishers to their content, we link brands with their platforms. While our presence was not massive, we co-hosted a brunch with Percolate and General Electric, and invited brands, customers and partners for a Superpower Hour, where our guests could discuss serious strategies for building business, connect to others in the industry, and even strike a pose with SuperChauncey in our gif booth.
It was great to have an open, honest dialogue amongst peers (in the past, we may have called some competitors) about the very real challenges and opportunities in our business. At the forefront of these efforts is the power of the link. While it is short in size, it is undoubtedly strong. The link is the connection between businesses and their audiences, platforms and brands, and users and insights.
Our marketing department is already coming up with bigger and better ideas for how we share Bitly next year, so I guess I should plan to book my hotel room early, like regular attendees do. I can’t even imagine how this conference can grow any more in the city of Austin, but I know I will be there to see it.
We’re excited to officially welcome the two most recent additions to our leadership team: Rob Platzer as our new Chief Technology Officer and Melissa Wallace as our new Vice President of Marketing.
Rob and Melissa will join Mark Josephson, our CEO, Brian Eoff, our Lead Scientist, and Jehiah Czebotar, our Head of Engineering, to round out our leadership team. We are fully committed to providing our users with data and insights around their shortlinks to help all users make better decisions in today’s connected world, and we know that Rob and Melissa, with their vast knowledge and experience in the digital media realm, are great additions to our leadership team as we develop a full range of tools to help marketers, brands and publishers.
Rob, who formerly served as CTO at AOL’s Patch and Outside.In (which was acquired by AOL), is a tech industry veteran with rich experience in building distributed systems, data-intensive applications and innovative products that connect the world. Combined with his approach to cultivating talent, teams and culture, Rob will be leading our technical strategy and talented team of engineers and data scientists.
Melissa, who is most recently known for rebranding and accelerating the marketing strategy of Buddy Media as the Vice President of Marketing there, brings a strong background in consumer, B2B and agency marketing to business at Bitly. Melissa will be overseeing all of our marketing initiatives, including brand, digital, event, product and content marketing.
“Bitly’s links are an incredibly powerful tool for marketers to build their brands and optimize campaign performance,” Mark said. “The addition of Melissa and Rob to our team accelerates our ability to bring new tools and insights that help our customers make better decisions; all while remaining an essential service to the internet as a whole.”
At Bitly, we’re always working to empower people to make better decisions by providing insight into the connected world. Our commitment to this statement is why we’re constantly thinking of new and innovative ways to help brands, publishers, agencies and users utilize our data.
We’re excited to announce our partnership with Moz, the industry’s most popular provider of search engine and social optimization software. Moz has chosen us to provide comprehensive click tracking data to discover, score and display inbound links from across the internet. Our data will allow Moz customers to have a clear and complete understanding of who is linking to any website and how relevant or valuable those links are for the brand based on the number and frequency of the clicks.
We have a unique view of how links are shared across the internet, and our differentiated dataset can help all marketers make better decisions. We’re excited to put this into action with Moz so their clients can better understand how content is shared across the web.
We’re excited to release the latest version of the Bitly iPhone app, now with a sleek, new iOS 7 optimized design. The app is faster than ever and it’s never been simpler to shorten and share your shortlinks.
Bitly Brand Tools customers have greater insights into their shortlinks than ever before. You can manage your team through your sub-account leaderboard. You can also see total click and share counts for all tracking domains, your top shortlinks by clicks and your most frequently shared shortlinks.
Additional highlights include improved stats about the links that you’ve saved. Click count bar graphs have finally been introduced to the app and you can also see a full list of others that have shared the same link.
Using the new Trending Links tab you can discover popular shortlinks on Bitly in real time. Enter search terms to find trending content, or connect your Facebook and Twitter profile to see what links your friends and followers have saved.
Learn more about the iPhone app and download it now here. Any questions? Email support[at]bitly.com.
If you have not heard, Venezuela is suffering from economic imbalances affecting its currency, the Bolivar. As a result, Venezuelans are searching for information about the value of their currency. Unfortunately, the government has been taking action to restrict access to the free flow of this information. For more details on what is happening there, read here.
Starting on November 18 and consistently since then, we noticed a change in the traffic we see from Venezuela:
We believe this change in traffic is related to the government-owned ISP CANTV, which controls most of the Venezuela’s internet traffic. It appears CANTV is actively blocking hundreds of sites that publish information about Venezuela’s currency situation. Further, they appear to be intermittently blocking Bitly because our service makes it easier for people to share content.
We’ve been hearing from users in Venezuela too:
Bitly started as a link shortener to help people share links and understand what happens to those links. Since then, we’ve grown in many ways.
We’ve gotten really, really big. We’re shortening more than two billion links that are generating more than seven billion clicks each month. We see clicks from almost every website in every country in the world.
We’ve become more focused on giving individuals and companies insight into their place in the connected world, including a deeper understanding of what happens after they shorten a link. We track 4.8 billion data points each day and apply insight to that data.
What’s going on in Venezuela is important. It’s important to the citizens of Venezuela who want to understand the health of their country. It’s important for the rest of us, who might take our access to information for granted.
Our mission at Bitly is to empower people to better understand the world around them. We hope that the economic strain in Venezuela will be resolved - and sooner rather than later. In the meantime, we will work to find ways to support our users and their access to the free flow of information.
— Mark Josephson, CEO Bitly