VPS host Linode issues customer-wide password reset
Virtual Private Server (VPS) hosting company Linode has reset the passwords on all of its user accounts following a "coordinated attempt to access one of our customers".
In a email sent to its customers, it wrote that it had discovered and blocked suspicious activity on the Linode network, specifically targeting one particular customer's hosting package.
"We have found no evidence that any Linode data of any other customer was accessed. In addition, we have found no evidence that payment information of any customer was accessed."
While Linode did not divulge who the customer was, it said that it was aware of the attempt on its account and of the extent and impact of the attempted breach.
"We have been advised that law enforcement officials are aware of the intrusion into this customer's systems."
Although other customers' accounts have not been affected, Linode has decided to reset all passwords and is recommending that users change their shell passwords, as well as regenerate any Linode API keys that they may have.
There are currently claims that the breach stems further than a single customer. A Linode customer wrote on the WebHosting Talk forum that they had been contacted by a hacker with the online handle "ryan_".
Ryan_ claims that his hacking group, Hack The Planet, had access to the manager.linode.com domain via a ColdFusion exploit and that it had a deal with Linode staff not to share it. He alleges that Linode broke the deal by contacting law enforcement, and that while credit card details were stored encrypted, the private and public keys required to decrypt them were also stored on a compromised server.
Linode currently has an investigation under way and has told customers that it is unable to comment on ryan_'s claims.
Ryan_ had posted a directory listing for the linode.com website, which should normally not be visible to the public. The files and directories in the listing match most of those currently in use, including filenames that should not be easy to guess. The listing does not, however, provide enough information to determine if credit cards were actually compromised.
Update: In a separate blog post published on Tuesday, Linode acknowledged ryan_'s claims, and confirmed that it believed the exploit used to attack its systems were two previously unknown vulnerabilities in Adobe ColdFusion.
It also confirmed that it uses public and private key encryption, adding that the private key itself is encrypted using a passphrase, which is not stored electronically. A Linode staff member later noted in the post's comments that this passphrase is "not guessable, sufficiently long and complex, not based on dictionary words, and not stored anywhere but in our heads".
Linode additionally found that although the company has received two reports of customers claiming fraudulent activity on their cards, it does not necessarily indicate a larger issue.
"We have no evidence decrypted credit card numbers were obtained," it reiterated.
However, it said that some Linode shell passwords were found to be stored in clear text. It has since reset these accounts. Likewise, it is now expiring API keys that may have been used by customers.
Updated on April 17, 2013, at 10.24am AEST: Added further information from Linode.