As many of you will no doubt already know, Bitly (the popular URL shortener) had a data security breach that they were made aware of “early [on] Thursday morning”. Hashed passwords were exposed to the hackers, meaning that in theory your password could be exposed, but it would require an incredible amount of computing power to realize. For security reasons, Bitly have disassociated all Twitter and Facebook accounts and revoked all oAuth tokens according to their CTO, Rob Platzer.
In a statement, Bitly said “We audited the security history for our hosted source code repository that contains the credentials for access to the offsite database backup storage and discovered an unauthorized access on an employee’s account. We immediately enabled two-factor authentication for all Bitly accounts on the source code repository and began the process of securing the system against any additional vulnerabilities.”
It is unclear here whether or not this is suspected to be an “inside job”, however it does appear from this that at least one employee account at their backup data centre was compromised. Bitly says that they have rotated the credentials for their backup storage, enforced two-factor authentication on all third-party services and enabled “detailed logging” on their offsite backup systems. No production systems were compromised, and there is no risk of current bit.ly links being redirected or deleted.
Source: Bitly blog