Add popular URL shortening service Bitly to the list of security issues that have popped up lately.
Today, on their company blog, Bitly CEO Mark Josephson outlined that they have “reason to believe that Bitly account credentials have been compromised; specifically, users’ email addresses, encrypted passwords, API keys and Oauth tokens.” (emphasis Josephson’s). There hasn’t been evidence that accounts have been accessed, but that’s no reason to take this lightly. Not only do all bit.ly URLs go through Bitly, but many other branded URLs are processed by the service. Additionally, anyone who gains access to your Bitly API key or Oauth token can access anything it links to and cause some serious damage.
The company is recommending that all Bitly users do the following:
- Reset Bitly passwords
- Reconnect social accounts (which have already all been invalidated as a precaution)
- Change their API keys and Oauth tokens.
Here are the steps to take in order to protect yourself, per the Bitly company blog
- Log in to your account and click on ‘Your Settings,’ then the ‘Advanced’ tab.
- At the bottom of the ‘Advanced’ tab, select ‘Reset’ next to ‘Legacy API key.’
- Copy down your new API key and change it in all applications. These can include social publishers, share buttons and mobile apps.
- Go to the ‘Profile’ tab and reset your password.
- Disconnect and reconnect any applications that use Bitly. You can check which accounts are connected under the ‘Connected Accounts’ tab in ‘Your Settings.’
Note that creating a bit.ly URL doesn’t necessarily mean that you have an account with Bitly. If your website, application, or social media account is linked to Bitly, however, you should take these steps as quickly as possible in order to protect yourself and your information. This includes websites, mobile apps, social media services (such as Hootsuite, Sprout Social, Buffer, and any other Twitter manager), and any personal or corporate social media accounts.
We recommend that you follow the advice on Bitly’s corporate blog and take action to change your passwords, API, and Oauth keys.