The latest major online outfit to suffer from a breach is Bitly, the url shortening service beloved by users of Twitter and Facebook. According to a statement from Bitly CEO Mark Josephson, the company has "reason to believe that Bitly account credentials have been compromised."


Although Josephson insists that there is no indication at the current time that any Bitly accounts have actually been accessed by the hackers, he has quite wisely taken the proactive step of disconnecting all users' Facebook and Twitter accounts which means they will be required to reconnect these when they next login once their API key and OAuth tokens have been changed, and password reset.

"We invalidated all credentials within Facebook and Twitter. Although users may see their Facebook and Twitter accounts connected to their Bitly account, it is not possible to publish to these accounts until users reconnect their Facebook and Twitter profiles" Josephson states.

So how do you do that? Well, in true Bitly style, here's the short of it:

  1. Log in, navigate to Your Settings|Advanced
  2. Hit the reset button next to Legacy API key
  3. Copy new key, change in all apps
  4. Reset password from profile tab
  5. Disconnect and reconnect all Bitly using apps

Meanwhile, Josephson insists that Bitly has "already taken proactive measures to secure all paths that led to the compromise and ensure the security of all account credentials going forward."

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

4 Years
Discussion Span
Last Post by happygeek

Oh, and I should add, of course:

  1. If same password was used at other services, change it there as well...

Edited by happygeek


yah i got the same message , didnt click on it caused it seemed suspicious. i think as more people are using the interent criminals are also focusing on exploiting the weaknbesses on the intenet security


Actually, that highlights another problem that people face: email phishing scams have become so commonplace that genuine security alerts are often seen as suspicious and ignored. The only way to deal with a breach of this nature is for the service to reset logins and force a password change when users try to connect next.

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.