Ensuring the security of our platform is our top priority. We maintain a strong security policy and aim to communicate openly should it ever be compromised. Thus, we are posting to describe a recent incident affecting the Linode Manager.
Here are the facts:
This morning, an intruder accessed a web-based Linode customer service portal. Suspicious events prompted an immediate investigation and the compromised credentials used by this intruder were then restricted. All activity via the web portal is logged, and an exhaustive audit has provided the following:
All activity by the intruder was limited to a total of eight customers, all of which had references to "bitcoin". The intruder proceeded to compromise those Linode Manager accounts, with the apparent goal of finding and transferring any bitcoins. Those customers affected have been notified. If you have not received a notification then your account is unaffected. Again, only eight accounts were affected.
The portal does not have access to credit card information or Linode Manager user passwords. Only those eight accounts were viewed or manipulated -- no other accounts were viewed or accessed.
Security is our number one priority and has been for over eight years. We depend on and value the trust our customers have placed in us. Now, more than ever, we remain committed to ensuring the safety and security of our customers' accounts, and will be reviewing our policies and procedures to prevent this from ever recurring.
---
I won't argue Linode is blameless here, but seems like the only reason it had such an outsized impact was because the 8 customers who were targeted evidently didn't do much to protect their assets from someone gaining unauthorized access to their servers--which is always a possibility with any publicly exposed server with or without a breach of the service provider being involved.
Hi. This is my comment you keep linking to. Your understanding of what happened is flawed. I do not have signs that Linode was rooted in that compromise. The signals I do have is that they had their database compromised, and likely secret key material. That allowed attackers to crack the hashes offline, and then authenticate using MFA.
IMO, it's plain wrong to categorize that one as "getting full root control plane", where it was instead the compromising of individual accounts that may have had no access to the resources on an account.
Manager Security Incident
Ensuring the security of our platform is our top priority. We maintain a strong security policy and aim to communicate openly should it ever be compromised. Thus, we are posting to describe a recent incident affecting the Linode Manager.
Here are the facts:
This morning, an intruder accessed a web-based Linode customer service portal. Suspicious events prompted an immediate investigation and the compromised credentials used by this intruder were then restricted. All activity via the web portal is logged, and an exhaustive audit has provided the following:
All activity by the intruder was limited to a total of eight customers, all of which had references to "bitcoin". The intruder proceeded to compromise those Linode Manager accounts, with the apparent goal of finding and transferring any bitcoins. Those customers affected have been notified. If you have not received a notification then your account is unaffected. Again, only eight accounts were affected.
The portal does not have access to credit card information or Linode Manager user passwords. Only those eight accounts were viewed or manipulated -- no other accounts were viewed or accessed.
Security is our number one priority and has been for over eight years. We depend on and value the trust our customers have placed in us. Now, more than ever, we remain committed to ensuring the safety and security of our customers' accounts, and will be reviewing our policies and procedures to prevent this from ever recurring.
---
I won't argue Linode is blameless here, but seems like the only reason it had such an outsized impact was because the 8 customers who were targeted evidently didn't do much to protect their assets from someone gaining unauthorized access to their servers--which is always a possibility with any publicly exposed server with or without a breach of the service provider being involved.