Turning to Two-Factor After Password Exploits
The aftermath of a data breach brings up many questions, including why certain security tools weren’t implemented in the first place to prevent simple attacks that were the result of stolen credentials. While unfortunate, these breaches also pinpoint those that may be lagging behind in adoption of the latest security tools that can effectively stop these credential-based types of attacks.
Bitly’s Breach: Exploited Offsite Backup Credentials
After the security team of another tech company alerted them, Bitly found that the credentials of an employee had been exploited to breach their systems, resulting in the exposure of users’ email addresses, encrypted (hashed and salted) passwords, API keys and OAuth tokens.
A suspicious and unusually high amount of traffic originating from an offsite database backup storage led them to look up their access logs within the hosted source code repository, in which they discovered that an unauthorized person had logged into an employee’s account.
Incident Response Plans: Two-Factor as the First Step
While their immediate next step was enabling two-factor authentication for all Bitly accounts on the source code repository, they also executed a rather impressive response and remediation plan outlined in their blog. In addition to invalidating Twitter and Facebook credentials, they changed and encrypted their offsite storage and code deployment credentials. They also enabled detailed logging for offsite storage and changed SSL certificates.
When it came to two-factor authentication, they not only accelerated development to support the service for their website, but they also enforced the use of two-factor for all of their third-party vendors.
They also sent out an email to users the other day and posted recommendations in a blog, advising users to change their API key and OAuth tokens, reset passwords and reconnect Facebook and Twitter accounts. Bitly also updated their mobile application, and users were advised to update to the latest version if they were experiencing any issues.
A Security Best Practice...Before the Breach Happens
This isn’t the first (nor will it be the last) company that decides to implement two-factor after a breach occurs as a result of exploited user credentials. Last year, Evernote was the victim of a breach in which attackers accessed their users’ email addresses, usernames and encrypted (hashed and salted) user passwords. While initially they were forced to reset 50 million passwords, they also implemented two-factor authentication after the fact, as reported in NetworkWorld.com.
Nowadays, two-factor authentication is considered a security best practice. Many major social media networks and vendors that support the industry have been breached at one point or another through the exploitation of user credentials. Most of them now have two-factor authentication implemented for internal employees as well as providing the option for their community of end-users.
While putting two-factor in place after a breach is great, it’s obviously more useful if it’s already in place. To get tips on how to evaluate a two-factor solution, read our Two-Factor Authentication Evaluation Guide.
Read more about other social networks and two-factor authentication in:
Two-Factor Authentication for Social Media: Now, Tumblr!
LinkedIn "LIONs" Are an Easy Target for Criminals
HootSuite and Buffer: Social Media Giants Enable Two-Factor