Virtual private server firm Linode has been forced to reset all user passwords after an investigation discovered two Linode.com user credentials on an “external machine,” barely a week after it was blitzed by a series of DDoS attacks.
“This implies user credentials could have been read from our database, either offline or on, at some point. The user table contains usernames, email addresses, securely hashed passwords and encrypted two-factor seeds. The resetting of your password will invalidate the old credentials.”
It’s unclear how attackers managed to retrieve said credentials if passwords were “securely hashed,” and several users took to the comments section of the Linode blog to vent their anger and demand more detailed information.
One frequent criticism is that users apparently weren’t emailed individually to inform them of the password reset.
However, many jumped to the defense of the firm, arguing that as an investigation into the potential security breach is ongoing it would be unwise to release too many details.
It’s also unclear whether the breach is tied to a recent DDoS attack campaign against the firm which began on Christmas Day.
In the week following, Linode engineers had to deal with “over 30 attacks of significant duration and impact,” according to an update from network engineer Alex Forster.
“Please know that we are dedicating all resources from multiple departments to stopping these attacks,” he concluded.
It could be that they were launched to distract the IT team from the attempted incursion into Linode’s systems highlighted by the latest advisory.
“You may be wondering if the same person or group is behind these malicious acts. We are wondering the same thing,” Linode said in its most recent post.
“At this point we have no information about who is behind either issue. We have not been contacted by anyone taking accountability or making demands. The acts may be related and they may not be.”
In the meantime, the firm is recommending users improve security by using strong passwords, enabling two-factor authentication, and never reusing credentials across multiple services.
Photo © Andrea Danti