Security Notification and Linode Manager Password Reset
Effective immediately, Linode Manager passwords have been expired. You will be prompted to set a new password on your next login. We regret this inconvenience, however this is a necessary precaution.
A security investigation into the unauthorized login of three accounts has led us to the discovery of two Linode.com user credentials on an external machine. This implies user credentials could have been read from our database, either offline or on, at some point. The user table contains usernames, email addresses, securely hashed passwords and encrypted two-factor seeds. The resetting of your password will invalidate the old credentials.
This may have contributed to the unauthorized access of the three Linode customer accounts mentioned above, which were logged into via manager.linode.com. The affected customers were notified immediately. We have found no other evidence of access to Linode infrastructure, including host machines and virtual machine data.
The entire Linode team has been working around the clock to address both this issue and the ongoing DDoS attacks. We’ve retained a well-known third-party security firm to aid in our investigation. Multiple Federal law enforcement authorities are also investigating and have cases open for both issues. When the thorough investigation is complete, we will share an update on the findings.
You may be wondering if the same person or group is behind these malicious acts. We are wondering the same thing. At this point we have no information about who is behind either issue. We have not been contacted by anyone taking accountability or making demands. The acts may be related and they may not be.
The security of your data, the functionality of your servers, and your confidence in Linode are extremely important to all of us. While we feel victimized ourselves, we understand it is our responsibility, and our privilege as your host, to provide the best possible security and service. You can help further enhance the security of your account by always using strong passwords, enabling two-factor authentication, and never using the same password at multiple services.
We sincerely apologize for the recent disruptions in your Linode service. Thank you for your patience, understanding and ongoing trust in Linode.
Filed under: announcements by Linode Security Team
To clarify, when you say “user credentials on an external machine”, are we talking about hashed passwords? or plaintext passwords? And is the external machine a system operated by Linode, that was not supposed to have these credentials on it, or a system operated by a 3rd party?
Does this issue impact API keys?
“The security of your data, the functionality of your servers, and your confidence in Linode are extremely important to all of us. While we feel victimized ourselves, we understand it is our responsibility, and our privilege as your host, to provide the best possible security and service.”
I understand the goal of this is to convey your sincerity and attempt to connect with the audience, but it’s starting to ring hollow. This announcement is light on details, and this paragraph makes it feel even more like hand-waving.
I understand you may not be ready to provide a full breakdown at this moment, and I look forward with optimism that such a breakdown will be provided in the future, but until then, I think it may be more appropriate to trim some of the PR spin and get back to the frank, up-front communication that got people interested in Linode in the first place. The people reading this page are smart, they’re technical, and they know PR spin when they see it: remind them that the folks at Linode are smart and technical as well.
Is the vulnerability the attacker used to read the DB fixed now? Or do you know how he got the credentials for your database?
@Les Aker “The user table contains usernames, email addresses, securely hashed passwords and encrypted two-factor seeds.”
It looks like they are not plain text passwords but rather properly salted/hashed ones as would be expected.
We’re patiently riding this out. Luckily our linodes were not in Atlanta so our downtime has been quite minimal so far. (all things considered)