Popular code hosting service Code Spaces has been forced to close after an attacker managed to access its Amazon Web Services EC2 control panel and delete most of its customers’ data.
A note on what remains of the Code Spaces site explained that the events leading up to its demise began with a “well orchestrated” distributed denial-of-service (DDoS) attack on Tuesday.
The still-unidentified assailant was then discovered to have gained access to the firm’s EC2 control panel and left a series of messages with a contact Hotmail address.
“Reaching out to the address started a chain of events that revolved around the person trying to extort a large fee in order to resolve the DDOS,” Code Spaces said.
At this point the firm tried to wrestle control of the panel back by changing its passwords
“However the intruder had prepared for this and had already created a number of backup logins to the panel and upon seeing us make the attempted recovery of the account he proceeded to randomly delete artifacts from the panel,” it added.
“We finally managed to get our panel access back but not before he had removed all EBS snapshots, S3 buckets, all AMI's, some EBS instances and several machine instances. In summary, most of our data, backups, machine configurations and offsite backups were either partially or completely deleted.”
The nightmare scenario should be a wake-up call for cloud hosters, their clients and end-users of the security gaps that still exist in the cloud.
Cloud Spaces marketed itself as a trusted provider offering "Rock Solid, Secure and Affordable Svn Hosting, Git Hosting and Project Management" with a “full recovery plan” in case things went wrong.
“Code Spaces will not be able to operate beyond this point, the cost of resolving this issue to date and the expected cost of refunding customers who have been left without the service they paid for will put Code Spaces in an irreversible position both financially and in terms of on-going credibility,” the statement concluded.
“As such at this point in time we have no alternative but to cease trading and concentrate on supporting our affected customers in exporting any remaining data they have left with us.”
Jeff Schilling, CSO at hosting firm FireHost, argued that security features should always be offered as an opt-out, never an opt-in, by cloud providers.
“Code Spaces will get a lot of criticism here, and rightly so, but cloud hosting providers are not blameless. Not by a long shot. Sometimes a hosting provider needs to save its customers from themselves and advise them on how to implement security controls,” he added.
“Most cloud providers take the position to provide the tools for customers to secure their data, such as 2-factor authentication, but it is up to the customer to use those tools. In my opinion, just saying ‘here are the security tools, use them if you want’ is just not enough.”