Security

Linode Forces Password Resets After Unauthorized Access Detected

1 comment

UPDATE: In a statement emailed to the WHIR on Jan. 8, 2016, Linode said that there is “no evidence that any customer information could have been accessed beyond the user table. The user table contains usernames, email addresses, securely hashed passwords and encrypted two-factor seeds.” The company said it would use the incident as “an opportunity to re-evaluate all security aspects” of its internal systems; “It’s given us insight into parts of our infrastructure which can and will be advanced to protect our customers’ information and us. Security advancements will include additional redundancy, more robust monitoring, system hardening and improved policies and procedures in an effort to deliver the most reliable and secure hosting environment possible.”

Web hosting provider Linode has forced customer passwords to expire as a necessary precaution after discovering unauthorized access of user credentials.

In a post on its status page on Tuesday, Linode said that users will be prompted to set a new password on their next login.

Linode said that a security investigation led the company to discover two Linode.com user credentials on an external machine. The user table that could have been read contains usernames, email addresses, securely hashed passwords and encrypted two-factor seeds.

According to Linode it is unclear if this issue is related to the DDoS attacks were mitigated on Jan. 5 and have been targeting the host since Christmas Day. The hosting provider has promised to share a more detailed post-mortem once it has more information.

“The entire Linode team has been working around the clock to address both this issue and the ongoing DDoS attacks. We’ve retained a well-known third-party security firm to aid in our investigation. Multiple Federal law enforcement authorities are also investigating and have cases open for both issues. When the thorough investigation is complete, we will share an update on the findings,” Linode said. “You may be wondering if the same person or group is behind these malicious acts. We are wondering the same thing. At this point we have no information about who is behind either issue. We have not been contacted by anyone taking accountability or making demands. The acts may be related and they may not be.”

“The security of your data, the functionality of your servers, and your confidence in Linode are extremely important to all of us. While we feel victimized ourselves, we understand it is our responsibility, and our privilege as your host, to provide the best possible security and service. You can help further enhance the security of your account by always using strong passwords, enabling two-factor authentication, and never using the same password at multiple services.”

Recently, Linode announced it had bought a historic building in Philadelphia to serve as office space.

“Something inspiring happened over the past few weeks,” said David Roesch, Linode’s director of marketing. “Instead of expressing frustrations online, the majority of Linode’s customers rallied to our defense, thanked our team for above-and-beyond effort, and displayed a type of sincere loyalty that most providers can only dream of. We even had a customer from California send in pizza for the support team to keep them going. Our whole team has been encouraged by the support we’ve received during this difficult time. ”

Newsletters

Subscribe Now and Get Our Exclusive Report on "The Hosting Infrastructure Ecosystem"

Enter your email to receive messages about offerings by Penton, its brands, affiliates and/or third-party partners, consistent with Penton's Privacy Policy.

Related Forum Threads

About the Author

Nicole Henderson is the Editor in Chief of the WHIR, where she covers daily news and features online. She has a bachelor of journalism from Ryerson University in Toronto. You can find her on Twitter @NicoleHenderson.

Add Your Comments

  • (will not be published)

One Comment

  1. I don't envy web hosting providers who are under constant threat of been hacked. The more technology advances, the more things can go wrong. Even though companies such as Linode have high tech security in place, there is always a risk of sensitive customer data falling into the wrong hands as hackers become more efficient at cracking their systems and exploiting holes in security. The security must start from the clients home computer, as most of my families computers are poorly secured, so once infected with a virus, hackers can attain information that allows them to access online accounts.

    Reply