
Linode hacked, customer database taken - shawndumas
http://www.marco.org/2013/04/16/linode-hacked
======
notaddicted
It was about a year ago when their customer service portal was breached that I
mentally moved Linode off my list of VPS with a "good" reputation
([http://status.linode.com/2012/03/manager-security-
incident.h...](http://status.linode.com/2012/03/manager-security-
incident.html)).

Still, people seem surprised that they've been breached again. There are other
VPS providers, why would one choose this one? How can you rely on their
security self-assessment?

I think the only credible response to their situation is to hire an external
IT security firm for an extensive audit and then publish the results. Like
something on the scale of the Fox-IT report on the breach of DigiNotar:
[http://www.rijksoverheid.nl/ministeries/bzk/documenten-en-
pu...](http://www.rijksoverheid.nl/ministeries/bzk/documenten-en-
publicaties/rapporten/2012/08/13/black-tulip-update.html) .

EDIT: this was also discussed 3 days ago here:
<https://news.ycombinator.com/item?id=5541915>

------
robflynn
With the respect to the password, there was an additional log from the hacker
stating that the key password was held in memory and was accessed by him via
Cold Fusion.

He claims to have been able to decrypt the credit card data at that point. He
did state that he only decrypted a couple of them and that he has also
destroyed the data since Linode's blog post went live.

-

The above info came from line 75 of the following pastebin:
<http://pastebin.com/7WXRDyAg>

07:52 < HTP> the CCrypter class of the linode application context was
accessable from outside the wwwroot using undocumented ColdFusion methods. i
was fully able to decrypt the ccs using the in-memory privkey that they
supplied the password for.

-

I have no idea of the validity of any of that information. To be safe, I have
modified my keys/passwords and have deactivated the card number associated
with the account.

I figure playing on the safe side is better and that changing everything will
result in fewer "surprises."

------
agwa
> I’ve never used Lish, but if you have, consider those passwords permanently
> compromised.

Even if you _haven't_ used Lish, consider it compromised, because according to
Linode support all Linodes are assigned a random Lish password by default. The
same is also true for API tokens (maybe - Linode support doesn't seem to
know). See this thread for more details:
<https://news.ycombinator.com/item?id=5553694>

------
daeken
> It’s up to you whether you’re confident enough in the passphrase’s
> complexity to continue trusting any credit-card numbers you’ve used with
> Linode.

I trust Linode's security and their password complexity is almost certainly
sufficient to keep the key secure; I cycled my credit card number regardless.
It's a minor inconvenience to reduce the risk of a bigger inconvenience.

Any time there's a compromise of this nature, I assume that they got the keys
to the castle and any data involved I consider to be in the hands of
attackers. The cost of that paranoia is fairly low in the grand scheme of
things, even if it its a bit overboard.

------
Lightning
<https://news.ycombinator.com/item?id=5556846>

