Amazon Web Services last month warned developers against storing their credentials in plaintext in GitHub, which appears to be what was behind last week's Bitly hack.
Popular link shortener Bitly has revealed the attack that caused it to disconnect all users’ Facebook and Twitter accounts last week was a compromised employee account to its hosted code repository — where it stored the secret key to its "offsite backup" database.
Bitly announced last Friday that users’ account credentials were compromised and quickly described what actions users should take. However security experts criticised the company for being vague about what exactly was compromised, how were passwords protected and how it discovered the breach in the first place.
The company appears to have listened to that criticism, on Saturday clarifying that hackers stole credentials to its backup database -- but not production database ---after an employee account on its hosted source code repository was compromised.
According to Rob Platzer, Bitly’s chief technology officer, the company’s security team was alerted to a possible breach early Thursday morning by an unnamed tech company. After that Bitly’s team discovered suspicious traffic from an offsite database backup.
According to Platzer, from that point, the company judged it best to “assume the user database was compromised”, which explained its initial response on Friday to disconnect all Facebook and Twitter accounts tied to a Bitly account.
“[T]he Security Team determined with a high degree of confidence that there had been no external connections to our production user database or any unauthorized access of our production network or servers,” Platzer wrote on Saturday.
“They observed that we had an unusually high amount of traffic originating from our offsite database backup storage that was not initiated by Bitly.”
Further investigations revealed that the attacker was able to breach the offsite backup because Bitly was storing its credentials for access to it in its hosted source code repository.
“We audited the security history for our hosted source code repository that contains the credentials for access to the offsite database backup storage and discovered an unauthorized access on an employee’s account. We immediately enabled two-factor authentication for all Bitly accounts on the source code repository and began the process of securing the system against any additional vulnerabilities.”
Bitly doesn’t mention which hosted source code repository it was using, however if the company’s tale sounds familiar that’s because only last month Amazon Web Services cautioned developers against storing their AWS log-in credentials in plain text on GitHub — a practice that was worryingly common, as ITNews.com.au reported last month.
In addition, Bitly’s Platzer clarified that until January it was using the ill-advised MD5 algorithm to hash passwords, albeit with the additional protection of salting.
“Hashed passwords were exposed but plain text passwords were not. All passwords are salted and hashed. If you registered, logged in or changed your password after January 8th, 2014, your password was converted to be hashed with BCrypt and HMAC using a unique salt. Before that, it was salted MD5.”