[nbpoole]

So, a customer service interface was compromised via stolen credentials and used to access various Linode instances. A couple questions that immediately come to mind:

1. Can this interface be accessed from anywhere on the Internet? If so, why? If not, does that mean other systems owned by Linode were compromised as well?

2. Why can customer service representatives access and update servers without the client being notified and with minimal logging?

[stevenbrianhall]

Regarding #1, an update from Linode was just posted:

"Our investigation has revealed a customer support interface was used to access your account. The compromised credentials have been restricted and we are discussing policy changes to prevent this from recurring."

[mmaunder]

I'm a Linode fanboy, but we need maximum transparency on what occurred and what's being done. What support interface? How compromised? Who's credentials, etc.

[redthrowaway]

Hopefully they're working on it, and will give a post mortem once they get it sorted out. I'm inclined to show patience and not demand they do anything other than ascertain the scale of the breach, alert those affected, and secure their systems at this point. Later, they can get into what happened and how they will avoid it in the future.

[marshray]

We can't wait for a full postmortem before Linode says anything.

Linode can't just leave us all wondering about our own security while pouring over over someone else's Pastebins.

[ErneX]

Me too, I've been recommending them a lot and really like their service. I just checked our 2 boxes uptimes just in case.

[lawnchair_larry]

Where are you reading this? The status page and the blog have no mention of the incident.

[ErneX]

It's from his e-mail conversation with Linode support: http://pastebin.com/UW7iT5fj

[gcb]

So hardly "from linode"

More accurately "according to somebody at linode"

[rweir]

er no, either. ITYM "according to an alleged discussion with a Linode employee".

[nbpoole]

That update had already been released when I made my original comment (hence why I said "a customer service interface was compromised via stolen credentials"). It doesn't reveal how the credentials were compromised, nor how the attacker managed to use them to log in.

[nwmcsween]

Reading the ticket slush posted it shows no password change logs, if linode was compromised either the whole infrastructure was compromised (unlikely) or a rouge admin or a admin comprimised account accessed the vps and stole the $, as per the bitcoin forums. Total stolen is roughly $16,000 USD

[dissident]

> if linode was compromised either the whole infrastructure was compromised (unlikely)

That's funny. I know from experience in the script kiddie part of the Internet that it was sometimes exceptionally easier to hack entire datacenters (even ones worth millions of dollars) just to get into a few of their customers, especially if those customers secured themselves.

Hosting companies have very sophisticated websites sometimes, meaning that they're almost always vulnerable to something.

I know of an SQL injection in an very large U.S. datacenter's administration panel which has been there for at least six years. Six years and it has not been fixed, and maybe a dozen people have independently discovered it. The deeper you delve, the more you realize that at least a handful of people also have access to important upstreams/backbones.

It's a lot bigger of a mess than anybody realizes. A bit of advice: if you say you're secure, you're either lying or colocating.

[mahmud]

Linode will send you a confirmation email if you access the admin panel from a "new" IP. This guy must have had his email address compromised as well.

Looks like a class spear-attack.

[redegg]

So far there are 3 people who've reported their Linodes compromised. They all had popular Bitcoin services running on their Linode.

3 compromised emails? Very unlikely. They are all major contributors to Bitcoin, I think they know a little more than using the same password everywhere.

Linode will only send you a confirmation email if you enable the feature, otherwise tough luck. It's also been confirmed by the vice president of Linode to be a fault on their side.

[mahmud]

Fair enough. I stand corrected.

More plausible to have broken web UI security than an entire bitcoin-community-wide targetting.

[ceejayoz]

> Linode will send you a confirmation email if you access the admin panel from a "new" IP. This guy must have had his email address compromised as well.

The attack was not via the consumer facing admin panel. It was the internal Linode customer service interface.

[Legion]

> Linode will send you a confirmation email if you access the admin panel from a "new" IP.

IF you have the IP whitelisting feature enabled on your account. It is not by default.