So I switched to Digital Ocean after the last Linode security fiasco and I can't say I regret it.
Should you decide to switch to another VPS provider I strongly recommend you cite the security problems when they ask you why you're closing your account. The only reliable way to get the security message across to technical managers and business people alike is to make it about money. That said the fact that this has happened, in this way, again to Linode is a very bad sign.
Having been in meetings, advocated for taking security seriously, and heard the rationalizations for a lax approach I can only say that as a customer if your desire for security isn't made crystal clear you have no hope of getting it. It has to be a deal breaker or not only will companies like Linode not learn, but their competitors who stand to gain from their loss won't either.
It seems like the data in this is identical to the stuff that was leaked last time. My guess is that someone was able to gain (user level) access to one of the servers hosting the forums, and the best they were able to do is leak an old database that was around from the last breach. It smells like skiddies trying to stir up drama to me. The names of the people posting this crap on IRC are "SABU", "<ryan____", "robertlevin", and "illegal". Yeah they're fucking troll idiots.
You need only read all of the comments made by that account to get the answer to that. I actually have a pretty good idea of who it is, and we will wait to see if I'm proven right.
Likewise, though my specific concerns were around a suspiciously large volume of inbound traffic that appeared to be maliciously probing for open services, and in particular a lack of any sort of upstream mitigation (to paraphrase their response, "can't help you, try Cloudflare".
Of course, Digital Ocean has had its own problems lately with not properly scrubbing decommissioned VPS containers... so to some degree, data security is not a Linode specific problem. And for that matter it is not just because someone is recycling passwords (bad), but because it is by nature one of the most fundamental and pervasive security challenges with any VPS hosting. Your AWS node might be perfectly secure, but it might be sharing a physical rack with a Russian botnet and you'd have no way to know.
Bottom line, if you are using a shared environment there is always some risk of having bad neighbors, experiencing disruption at the supervisory layer or of your data bleeding over into an untrusted location. Your application security design should be planned accordingly, and the choice of VPS host is only one part of that equation.
what really made me move away from linode is really their inability to accept paypal.
Luckily, digitalocean accepted paypal. Also their $5 servers cannot be beat.
Sure, linode has some good panels but it was more than I can chew and more than I needed. Digitalocean also had a good amount of docmentation to do everything I needed without filing a ticket.
A lot of merchants (e.g. Amazon) don't use PayPal because is isn't a real bank, and so isn't beholden by laws associated with banks. The terms of service state that you cannot seek any legal recourse from them should your account be shut down.
How could this affect a VPS provider? Say a customer hosts a porn site, or a gun-selling site, or something else PayPal disagrees with. PayPal shuts the merchant's account down for it. Now the merchant's funds are frozen for an indeterminate amount of time till the issue can be resolved, if at all, and there's nothing they can do about it short of appealing to PayPal.
These things are happening often enough for them to be a competitive strategy between rival VPS hosting companies.
(I happen to have servers hosted at Linode, Digital Ocean and a local provider, and always find it amusing to tally the amount of "happy customers" that pop up in comment threads like this)
I've looked through this. It looks to be a sanitized version of their database with very old information. The reason I say sanitized because there look to be little or no credit cards there, and the only ones that look like CC numbers are '4111111111111111'.
My guess is that this is an old development DB that was left on a server that may have been forgotten about.
The account submitting this story was created six days ago, and this is their only activity on HN so far. The credentials mentioned are old and the data in the claimed dump is from 2009. So far this seem highly implausible.
Linode publishes logs of their IRC channel at https://www.linode.com/irc/logs/,
but it's currently returning "504 Gateway Time-out". Does anyone know
offhand if that URL had previously been broken, or if Linode has taken the logs
offline following the attack?
That doesn't really make any sense. That's not a MySQL default, so you're saying they intentionally set the root user password to '*'? I'm not sure I buy that.
I try to stay away from databases run by other companies, for this reason. Seems to be safer to run my own and block access than the convenience of db as a service.
Obviously if you don't have the experience in this, your susceptible to this kind of leak.
From reading the thread it looks like it was a linode database running their forums.. Self hosting wouldn't solve this particular problem unfortunately
I don't understand, I'm not really seeing anything interesting in the SQL dumps, were they scrubbed of most of their rows? It looks like most of the tables are severely outdate/deprecated tables that were once used for testing but no more. E.g. users, customers, etc..
This looks like their forum server (phpbb). I'm not listed on here (been a customer of linode for a few years, and on the forums). I see no posts or anything with my info (or text from posts I've made).
Also, looking through the post data on there, it's all from 2003. And I can't find any of the posts listed in this sql dump on their active DB. I see nothing exciting here.
Should you decide to switch to another VPS provider I strongly recommend you cite the security problems when they ask you why you're closing your account. The only reliable way to get the security message across to technical managers and business people alike is to make it about money. That said the fact that this has happened, in this way, again to Linode is a very bad sign.
Having been in meetings, advocated for taking security seriously, and heard the rationalizations for a lax approach I can only say that as a customer if your desire for security isn't made crystal clear you have no hope of getting it. It has to be a deal breaker or not only will companies like Linode not learn, but their competitors who stand to gain from their loss won't either.