Bitly, the popular url shortening tool, announced to users recently the company has reason to believe it has been compromised.
In a post on the official Bitly Blog, CEO Mark Josephson says the company has no indication any user accounts have been accessed. But the company is taking no chances.
Bitly, a popular choice for Twitter and Facebook users, says it has disconnected all Facebook and Twitter accounts. The company says it has also invalidated all Bitly user credentials on both sites.
Social media users often use Bitly to create shortened urls useful when there isn’t room to include an entire website address, as on Twitter.
Josephson suggests all users change their passwords before reconnecting their social media accounts and reusing the site.
Josephson says the company believes email addresses and encrypted passwords have been compromised. But so have API keys used to interface with Bitly for use in social media publishing, share buttons and mobile apps. The company says authentication tokens containing password and other information so that users do not need to sign in every time they want to use Bitly are probably also compromised. Josephson explains:
“We are recommending all Bitly users make these changes. Please take the following steps to secure your account: Change your API key and OAuth token, reset your password, and reconnect your Facebook and Twitter accounts.”
In step by step instructions to reset API keys and authentication tokens on the site, Josephson recommends:
- Log into your account and select “Your Settings.”
- Select the “Advanced” tab and then choose “Reset” near the “Legacy API key” at the bottom.
- Copy down your new API key and be sure to change it in all external applications like social publishers and other outside software that may need to access Bitly.
- Reset your password in the “Profile” tab.
- Check the “Connected Accounts” tab under “Your Settings” and be sure you have disconnected and reconnected any external apps or software that accesses Bitly.
The Bitly staff also encourage users to contact them with any specific questions about individual accounts at firstname.lastname@example.org.