SWAT raids Linode offices as founder's server is attacked

Linode has been a victim of a SWATting prank, with its office searched for signs of explosives.

Virtual server provider Linode is again under attack, with an unknown attacker calling in a Special Weapons and Tactics (SWAT) raid on its offices, as well as accessing the personal server administered by its founder.

On Sunday afternoon, staff in Linode's offices in New Jersey were forced to leave as the Galloway Police Department, a SWAT team, and an explosives-sniffing dog swept the building, room by room, for an hour.

Linode founder and CEO Christopher Aker said that they had received a false report, but he thanked them for responding as they should have.

"It's their job, after all, to respond to reports, even if it turns out to be a hoax," he wrote on the company's blog.

"SWATting" is occasionally employed by attackers as a means to cause inconvenience to their victims, with an attack on information security journalist Brian Krebs one rather well-known example of an attack in recent times.

At the same time as the raid on Linode, however, Aker was made aware that an "old personal server" had been accessed, and while it did not form part of Linode's infrastructure — which is why it missed scrutiny — it contained an old backup of the company's forum database from March 2010.

"Forum users that existed at that time and who haven't changed their credentials since have had them revoked and will need to reset them," he wrote.

In April last year, Linode was forced to reset passwords when a hacking group breached its systems in order to get revenge on one of its hacking rivals that uses a domain registrar hosted by Linode.

The company quickly moved to strengthen its infrastructure after the attack.

"Last year, we stopped all other developments and focused on nothing but security for over six months. We did everything we could think of, from significantly reducing our internet-facing footprint to defining, testing, or improving practices and policies for going forward, to third-party penetration testing. We did this until we ran out of things to fix and ran out of ideas to pursue, and our security team continues to proactively assess our infrastructure and services."

At the time of its attack, a hacker called "Ryan_" posted in an IRC channel the username and credentials for the Linode forums, but on a third-party server, theshore.net. These credentials and the server name popped up again today when user "n0tryan" posted them on Linode's IRC channel.

It is unknown whether the third-party server is the one that Aker was referring to in his blog post, but a whois lookup revealed that Aker is listed as the contact for the domain, which was for virtual server provider Shore Network Technologies, the predecessor of Linode.

ZDNet obtained a copy of the database dump, which appears to contain a large amount of data used to test transactions. In many cases, credit card numbers as missing or are dummy values such as 4111111111111111.

While valid credit card details appear to be absent, the dump contains data for the phpBB forum software at the time, including usernames, email addresses, and hashed passwords.

Another table from the dump called "Customer" contains the the personal information for some of its staff members, such as vice president and COO Thomas Asaro, but also a very small handful of those that do not appear to be affiliated directly with Linode, or Shore Network Technologies. Information leaked includes the email and physical addresses for customers, phone numbers, and account balances.

The only other strange thing in the database dump was a number of advertisements selling puppies, and two news articles — one about illegal dog trading, taken from Sky News, and another about greyhounds recovering after being retired, from Bristol News.