[glfomfn]

I am failing to understand what exactly happened.

The user who was affected by the incident quoted an email from linode that stated "Our investigation has revealed a customer support interface was used to access your account.", based on that and all the information of that post you get the impression that through the 'interface' the attacker was able to change the vps root password.

Now a reply from linode comes and says "The portal does not have access to credit card information or Linode Manager user passwords". So if the portal doesn't have access to Linode Manager how the attacker gained ability to change the root passwords ?

Thy should give more details on the incident, i do have a certain trust in the ability of linode to have a secure environment & i can understand that things like that will happen at some point to everyone. However its one thing for someone to get access in your system because you had your roots password to 'password' and another if there was a bug that got exploited.(yea this is an extreme example)

[citricsquid]

> So if the portal doesn't have access to Linode Manager

They didn't say that, they said it doesn't have access to the passwords. They have an interface to change details, they just can't read them. So they can reset your password to "hunter2" but they can't see if it's "hunter2".

[glfomfn]

You are right, my bad on that. Still this looks like a Public relations post by them than giving out facts. They should be explaining what the attacker could do by gaining access on that interface, the ability of the attacker to change the password has the same consequences.

The point is that exploited interface had a backdoor access to the virtual machines (to be able to change passwords or w/e)

[nknight]

I understand how this might be confusing to a third party, but Linode's response thus far makes perfect sense to those of us who have been customers for a while. We're pretty aware of the general parameters of Linode's internal systems.

[dangrossman]

I run a web app. I built an administrative interface for managing it. This interface includes the ability to log me in to any individual user's account (by appropriately initializing a session with that user's ID, the same as logging in normally would do), and to reset any individual user's password. This interface does not let me view any user's passwords; it's both technically impossible, as I don't store them in plain text or encrypted form, and unnecessary.

Unless you believe they're lying, then Linode has the same thing. Some interface where they can access their users' Linode Manager accounts, but that interface does not show Linode Manager passwords or credit card information.

[keeran]

Likewise.

   Suspicious events prompted an immediate investigation and the compromised credentials used by this intruder were then restricted

Does that mean the credentials were gained outside of Linode and used to change the root passwords of the accounts for the purposes of the theft, or were those credentials used as part of an exploit in Linodes systems?

[dissident]

It sounds like Linode's user system is different from their server management system. They probably have some administration tools for resetting VPS passwords, but don't have access to sensitive user details.