[microtonal]

Indeed, we are a Linode customer, and this message only helps a bit. Yes, I know now that we are not affected. But little other information is given: were the user accounts compromised by a vulnerability in Linode's VM management software? If so, was this vulnerability found and fixed? Or did the attacker compromise the account of one of Linode's employees?

[epaik]

I believe in an earlier statement they did say that they fixed the vulnerability. No idea why they didn't explicitly state so in this new statement.

[StavrosK]

I don't think there was a vulnerability. As I understood it, somebody stole a support person's credentials and logged in with them.

[lambda]

Yes, but how did they steal the credentials? Did they find a sticky note with the username and password written down? Or was there a vulnerability in the admin interface that allowed someone to sniff credentials? Or did they hack into the personal computer of someone with admin privileges?

Basically, this announcement gives me no confidence that they've done due diligence in fixing this problem. They haven't explained what the vulnerability actually was, nor what they have done to avoid it in the future.

Of course, this does speak to the dangers of using hosted services for anything that needs a high level of security. Anyone with appropriate admin privileges on the host system can compromise any user. That increases the attack area considerably; you don't need to attack the system directly, nor the users of the system in question, you just need to find one person who has admin privileges who is vulnerable, steal their credentials, then attack any users at your leisure.

[microtonal]

Ok, I missed the earlier statement. Thanks for the information!