VPS host Linode issues customer-wide password reset

VPS host Linode issues customer-wide password reset

Summary: After discovering and blocking an attack on one of its customers' accounts, Linode has issued a password reset to all of its customers.

SHARE:

Virtual Private Server (VPS) hosting company Linode has reset the passwords on all of its user accounts following a "coordinated attempt to access one of our customers".

In a email sent to its customers, it wrote that it had discovered and blocked suspicious activity on the Linode network, specifically targeting one particular customer's hosting package.

"We have found no evidence that any Linode data of any other customer was accessed. In addition, we have found no evidence that payment information of any customer was accessed."

While Linode did not divulge who the customer was, it said that it was aware of the attempt on its account and of the extent and impact of the attempted breach.

"We have been advised that law enforcement officials are aware of the intrusion into this customer's systems."

Although other customers' accounts have not been affected, Linode has decided to reset all passwords and is recommending that users change their shell passwords, as well as regenerate any Linode API keys that they may have.

There are currently claims that the breach stems further than a single customer. A Linode customer wrote on the WebHosting Talk forum that they had been contacted by a hacker with the online handle "ryan_".

Ryan_ claims that his hacking group, Hack The Planet, had access to the manager.linode.com domain via a ColdFusion exploit and that it had a deal with Linode staff not to share it. He alleges that Linode broke the deal by contacting law enforcement, and that while credit card details were stored encrypted, the private and public keys required to decrypt them were also stored on a compromised server.

Linode currently has an investigation under way and has told customers that it is unable to comment on ryan_'s claims.

Ryan_ had posted a directory listing for the linode.com website, which should normally not be visible to the public. The files and directories in the listing match most of those currently in use, including filenames that should not be easy to guess. The listing does not, however, provide enough information to determine if credit cards were actually compromised.

Update: In a separate blog post published on Tuesday, Linode acknowledged ryan_'s claims, and confirmed that it believed the exploit used to attack its systems were two previously unknown vulnerabilities in Adobe ColdFusion.

It also confirmed that it uses public and private key encryption, adding that the private key itself is encrypted using a passphrase, which is not stored electronically. A Linode staff member later noted in the post's comments that this passphrase is "not guessable, sufficiently long and complex, not based on dictionary words, and not stored anywhere but in our heads".

Linode additionally found that although the company has received two reports of customers claiming fraudulent activity on their cards, it does not necessarily indicate a larger issue.

"We have no evidence decrypted credit card numbers were obtained," it reiterated.

However, it said that some Linode shell passwords were found to be stored in clear text. It has since reset these accounts. Likewise, it is now expiring API keys that may have been used by customers.

Updated on April 17, 2013, at 10.24am AEST: Added further information from Linode.

Topics: Security, Cloud, Servers, Storage, Virtualization, Web development

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

2 comments
Log in or register to join the discussion
  • Deeper issues than credit card data being leaked?

    An interesting situation.

    For those more curious about the larger theoretical issues relating to structural VPS security, we're tracking how this plays out in a thread here:

    https://www.cryptocloud.org/viewtopic.php?f=25&t=2807

    Folks might want to read the green-highlighted text in one of the posts, if they're running FDE and aren't aware of the limitations thereof in a situation like this.

    If HTP had root on the physical machines, then the VPS' running on them are vulnerable - passwords or not. Which includes injecting rootkits "up" into the VPS's from the hypervisor - password cycling would do nothing to resolve that attack vector. Not saying this happened, but it's theoretically implicit in the structure of the systems in question.

    Credit card data could be the least of the worries...
    Baneki Privacy Labs
  • Move out of Linode to Jelastic

    I think it is high time we should be moving out of VPS to PaaS(Platform as a Service). I was a customer with Linode, but now moved to Jelastic(http://jelastic.com). All this config options will try to confuse users at a fare level of knowledge(experts are out of league) and Jelastic here hits the nail on the head. They have excellent web UI, super software stack, no hassle configs and zero vendor lock ins. I recently moved and I am very happy and I think whoever uses it will also become a evangelist for their service.

    Surya
    chotachetan