Under-attack Linode resets passwords after logins leak onto web

Linode's woes continue: the server hosting biz has just run a system-wide password reset on customer accounts after two Linode.com user credentials were discovered “on an external machine.”

The advisory, posted here, says the leak “implies user credentials could have been read from our database, either offline or on, at some point."

In other words, it sounds as though miscreants may have infiltrated the New Jersey company's systems.

“The user table contains usernames, email addresses, securely hashed passwords and encrypted two-factor seeds,” the statement continues. This is also curious, because if the passwords were "securely hashed," attackers shouldn't have been able to recover them.

The alert says the credentials were discovered during an investigation after authorized logins into three customer accounts. Linode says it's unable to speculate about whether these suspect logins are related to the crippling denial-of-service attacks that hammered its servers offline in late December.

The Register notes that crooks often use distributed denial-of-service assaults to distract security staff from database infiltrations.

The floods of junk packets are continuing, particularly against Linode's DNS infrastructure. The company has temporarily disabled the AFXR protocol (used for DNS database replication across multiple servers).

Its blog has also been targeted, perhaps in an attempt to make it hard for customers to get information. The full statement is below in case it disappears. ®

Security Notification and Linode Manager Password Reset

Effective immediately, Linode Manager passwords have been expired. You will be prompted to set a new password on your next login. We regret this inconvenience, however this is a necessary precaution.

A security investigation into the unauthorized login of three accounts has led us to the discovery of two Linode.com user credentials on an external machine. This implies user credentials could have been read from our database, either offline or on, at some point. The user table contains usernames, email addresses, securely hashed passwords and encrypted two-factor seeds. The resetting of your password will invalidate the old credentials.

This may have contributed to the unauthorized access of the three Linode customer accounts mentioned above, which were logged into via manager.linode.com. The affected customers were notified immediately. We have found no other evidence of access to Linode infrastructure, including host machines and virtual machine data.

The entire Linode team has been working around the clock to address both this issue and the ongoing DDoS attacks. We've retained a well-known third-party security firm to aid in our investigation. Multiple Federal law enforcement authorities are also investigating and have cases open for both issues. When the thorough investigation is complete, we will share an update on the findings.

You may be wondering if the same person or group is behind these malicious acts. We are wondering the same thing. At this point we have no information about who is behind either issue. We have not been contacted by anyone taking accountability or making demands. The acts may be related and they may not be.

The security of your data, the functionality of your servers, and your confidence in Linode are extremely important to all of us. While we feel victimized ourselves, we understand it is our responsibility, and our privilege as your host, to provide the best possible security and service. You can help further enhance the security of your account by always using strong passwords, enabling two-factor authentication, and never using the same password at multiple services.

We sincerely apologize for the recent disruptions in your Linode service. Thank you for your patience, understanding and ongoing trust in Linode.