[falcolas]

> they didn't tell anyone until weeks after the fact.

Unfortunately, this is fairly standard practice in the industry. Companies want to make sure the vulnerability is closed, positively identify what was compromised, who was affected, what legal liability exists, and so forth.

Weeks is, frankly, pretty quick to go through that process.

> There's not much more to say -- they are dead.

Huh. Funny, I'm still hosting things there; their prices are competitive, there are no rumors of acquisition or shutdown... Seems quite alive to me.

> They will be hacked in 2017.

And, as I stated originally, I have no reason to think they will be unique in this.

[ryanlol]

I don't think there's any reasonable arguments left to defend Linode with.

https://news.ycombinator.com/item?id=10845278

There's a clear, undeniable pattern of incompetence here.

I also suggest reading this glassdoor review: https://imgur.com/sJd56AT

And this thread: https://news.ycombinator.com/item?id=11136743

[developer2]

>> this is fairly standard practice in the industry. Companies want to make sure the vulnerability is closed, positively identify what was compromised, who was affected, what legal liability exists, and so forth.

This is so far beyond malicious and incompetent it should be illegal. What you really mean is "Are we obligated to report this to our customers, or can we cover this up and get away with not letting anyone know we've (maybe/probably) been hacked?".

Customers' entire businesses are on the line. As in, a company can literally go bankrupt and/or be forced to shut down if the hack affects them. The only acceptable resolution is to warn customers within ONE HOUR of knowing that their company MAY be at risk of a hack. One day is already too late. A week later means that no pre-emptive mitigation was even possible, and it's simply too late to even try and protect oneself.

IT IS STRAIGHT UP NOT ACCEPTABLE, TO NOT IMMEDIATELY INFORM A CLIENT OF A __POTENTIAL__ THREAT TO THEIR BUSINESS. ___POTENTIAL___, NOT ___CONFIRMED___.

Companies like Linode are so busy trying to cover their own PR asses, that they don't understand just HOW CRITICAL it is that their clients be instantly informed of any potential threat. They think their business's reputation is important, without having a single clue that their entire business's success relies on their clients' businesses being safe. Informing all their customers that there is a 0.00001% chance that their account has been compromised FAR OUTWEIGHS the eventuality that even a single account was in fact compromised.

They just don't get it. They are prioritizing their own business's PR over their clients' businesses' well-being. And so a single hack reported weeks after the fact, without any early warning having been raised, completely destroys all credibility. A hosting provider should be put out of business after a single such failure to immediately warn clients of even a remote possibility of a problem.

tldr; Providers like Linode who prioritize confirming their liability, before so much as even considering issuing a warning to their clients that they may have been compromised, should not be allowed to do business. It really is as simple as that, and frankly anyone who continues to host with a provider that failed to raise any warnings until weeks after a potential hack deserves whatever business-destroying event happens to them next time. You cannot trust a company once they've purposely postponed releasing crucial details of an incident. Quite literally: in the future, when you find out you've been hacked on Linode a month after the fact... what the fuck did you expect? Precedent indicated this was the likely outcome... you got exactly what you stayed signed on to experience!