Cyber Incident Victim: Bitly

On May 9, 2020, Bitly, a URL shortening service, disclosed a security breach through an "Urgent Security Update" posted by CEO Mark Josephson on the company blog. The announcement stated investigators had identified evidence suggesting unauthorized access to user data, though no confirmed instances of account compromise were detected at the time of disclosure. Exposed information included email addresses, encrypted passwords, API keys, and OAuth tokens. Bitly promptly severed connections between user accounts and integrated third-party platforms—specifically Facebook and Twitter—as an immediate containment measure to prevent potential misuse of OAuth tokens. The company confirmed implementing patches to address the vulnerability but did not disclose technical details regarding the attack vector, intrusion methods, or duration of unauthorized access prior to detection.

Bitly directed all users to reset their Legacy API keys and OAuth tokens via account settings, regenerate passwords, and manually reconnect third-party applications to ensure severed integrations did not disrupt service functionality. Step-by-step instructions required users to navigate to the 'Advanced' tab in account settings to reset API keys, update these keys in all integrated applications (including social media publishers and mobile apps), change passwords under the 'Profile' tab, and review 'Connected Accounts' to reauthorize detached services. The company asserted that systems were secured following remediation and that no further unauthorized access occurred post-patch. While emphasizing the precautionary nature of these steps due to the absence of confirmed account breaches, Bitly's response centered on mitigating risks associated with exposed authentication credentials and API access points. The incident's primary operational impact involved temporary service interruptions during credential resets and application reconnections, with no reported data misuse or secondary compromises linked to the breach.