UPDATE: In a statement emailed to the WHIR on Jan. 8, 2016, Linode said that there is “no evidence that any customer information could have been accessed beyond the user table. The user table contains usernames, email addresses, securely hashed passwords and encrypted two-factor seeds.” The company said it would use the incident as “an opportunity to re-evaluate all security aspects” of its internal systems; “It’s given us insight into parts of our infrastructure which can and will be advanced to protect our customers’ information and us. Security advancements will include additional redundancy, more robust monitoring, system hardening and improved policies and procedures in an effort to deliver the most reliable and secure hosting environment possible.”
Web hosting provider Linode has forced customer passwords to expire as a necessary precaution after discovering unauthorized access of user credentials.
In a post on its status page on Tuesday, Linode said that users will be prompted to set a new password on their next login.
Linode said that a security investigation led the company to discover two Linode.com user credentials on an external machine. The user table that could have been read contains usernames, email addresses, securely hashed passwords and encrypted two-factor seeds.
According to Linode it is unclear if this issue is related to the DDoS attacks were mitigated on Jan. 5 and have been targeting the host since Christmas Day. The hosting provider has promised to share a more detailed post-mortem once it has more information.
“The entire Linode team has been working around the clock to address both this issue and the ongoing DDoS attacks. We’ve retained a well-known third-party security firm to aid in our investigation. Multiple Federal law enforcement authorities are also investigating and have cases open for both issues. When the thorough investigation is complete, we will share an update on the findings,” Linode said. “You may be wondering if the same person or group is behind these malicious acts. We are wondering the same thing. At this point we have no information about who is behind either issue. We have not been contacted by anyone taking accountability or making demands. The acts may be related and they may not be.”
“The security of your data, the functionality of your servers, and your confidence in Linode are extremely important to all of us. While we feel victimized ourselves, we understand it is our responsibility, and our privilege as your host, to provide the best possible security and service. You can help further enhance the security of your account by always using strong passwords, enabling two-factor authentication, and never using the same password at multiple services.”
“Something inspiring happened over the past few weeks,” said David Roesch, Linode’s director of marketing. “Instead of expressing frustrations online, the majority of Linode’s customers rallied to our defense, thanked our team for above-and-beyond effort, and displayed a type of sincere loyalty that most providers can only dream of. We even had a customer from California send in pizza for the support team to keep them going. Our whole team has been encouraged by the support we’ve received during this difficult time. ”