Cloud host Linode resets user passwords after suspected hack

It's the second time in as many years that the cloud hosting company has reset its user passwords.

Virtual private hosting firm Linode is having a rough start to the year.

The Galloway, New Jersey-based company said Tuesday that it has reset the passwords of its entire user base, after suspecting a data breach.

In a statement on its status blog, the company said it found two Linode user credentials on an "external machine," implying that usernames and passwords "could have been read from our database, either offline or on, at some point."

The database includes usernames, email addresses, and securely hashed passwords and encrypted two-factor seeds, but no further details were given.

The company touts Creative Commons, satirical news site The Onion, and weather app Dark Sky as customers.

Linode said it did not know who was behind attacks on its systems, but it had "not been contacted by anyone taking accountability or making demands."

The message on its status page came just a few hours after a massive distributed denial-of-service (DDoS) attack against its systems on Sunday. Linode said it was caused by a "bad actor" who purchased a large amount of botnet capacity. Following the announcement, a separate posting confirmed its blog was experiencing a denial-of-service attack.

But Linode said it was not sure if the recent attacks on its systems were related.


These companies lost your data in 2015's biggest hacks, breaches

Was your data stolen by hackers? (HInt: it probably was.)

Read More

Users will be prompted to change their passwords when they next log in, which will "invalidate" the old credentials.

The company, founded in 2003, underwent a similar password reset two years ago following a "coordinated attempt to access one of our customers," it said in an email to its users. It was said that a hacker group was able to exploit a flaw in ColdFusion, allowing unauthorized access to the Linode manager domain.

Some users were quick to criticize the company, which at the time of writing had not emailed customers with the details that were posted to the status page.

"If an attacker had my old, leaked password they could have just gone through the reset process for my account themselves," said one customer, who added that he found out from the news-sharing site Reddit.

We've reached out to Linode for more details, and will update this piece if we hear back.