Bitly Reports Data BreachAccount Credentials Compromised
Exposed information includes users' e-mail addresses, encrypted passwords, API keys and OAuth tokens, CEO Mark Josephson said in a May 9 statement, which does not specify how many users were affected.
"We have no indication at this time that any accounts have been accessed without permission," Josephson says. "We have taken steps to ensure the security of all accounts, including disconnecting all users' Facebook and Twitter accounts. All users can safely reconnect these accounts at their next login."
Bitly recommends all users change their API key and OAuth token, reset their passwords and reconnect their Facebook and Twitter accounts.
The company declined to provide additional details.
News of compromised OAuth tokens for Bitly users follows reports of a new flaw in open-source authorization services OAuth 2.0 and OpenID, tools that allow users to sign in to certain online services using an existing identity for other sites, such as Facebook, Google and Yahoo (see: Is 'Cover Redirect' Flaw a Big Deal?).
Because of the flaw, a cyber-attacker could potentially compromise the OAuth and OpenID process and steal the information that the user entered, including their e-mail address.