Cloud hosting provider Linode has been combatting DDoS attacks since Christmas Day, which have caused multiple disruptions and service outages across its global data centers. The attacks are ongoing and the company is struggling to keep its status blog up to notify customers.
In addition to the DDoS attacks, Linode has also confirmed a data security breach:
A security investigation into the unauthorized login of three accounts has led us to the discovery of two Linode.com user credentials on an external machine. This implies user credentials could have been read from our database, either offline or on, at some point. The user table contains usernames, email addresses, securely hashed passwords and encrypted two-factor seeds. The resetting of your password will invalidate the old credentials.
All Linode Manager passwords have been expired as a precaution after customer credentials were found in the wild. The team is working around the clock to mitigate the DDoS attacks and further investigate the unauthorized access to customer accounts. Linode has not yet determined whether there is a link between the two attacks.
Several days ago, WP Engine identified its cloud infrastructure provider as the entry point for the company’s recent security breach. The company is listed as one of Linode’s customers. Jason Cohen, the company’s founder and CTO, jumped in to answer several questions in WP Tavern comments earlier today but would neither confirm nor deny that Linode is the cloud infrastructure provider in question.
PagerDuty, a former Linode customer and victim of a similar attack, speculates that Linode may have been compromised since July 2015 and is only now announcing it:
We immediately reached out to them not only to inform them of their compromise, but to assist them in investigating it. We were confident that the Linode database had been breached, and that the secret key used to encrypt information in the database had been compromised as well.
In addition to reaching out to Linode, we also worked with a third-party security firm to audit our work done during the incident. Likewise, around the same time we reached out to law enforcement to assist in investigating the attack. We did not get confirmation in July that there was a breach of the Linode Manager or any associated credentials.
PagerDuty migrated away from Linode in August because of this breach, but the company was not allowed to disclose to its customers that Linode was the point of entry.
WP Engine’s security breach is strikingly similar, as the company’s attacker bypassed multiple layers of authentication to gain access to an administrative panel. According to Cohen, “the criminal’s behavior in this exposure matches a pattern seen in other attacks throughout 2015.”
If multiple Linode customers have been affected and are unable to reveal the point of entry, they may have put pressure on the cloud hosting provider to finally publicly disclose the nature of the attack.
In an age when nearly every hosting provider will have attacks and service disruptions, what matters is how they handle it and communicate with their customers. Linode has been plagued by multiple security issues in the past. Failure to disclose incidents in a timely way can be costly, especially in the current competitive hosting market where transparency with customers is at a premium.
When Linode’s investigation of the criminal activity is complete, it would be appropriate for them to disclose how long they knew about this compromise and when they first acted on it. The most recent update on the security breach does not include a specific timeline of events.
From their announcement post, it sounds like the passwords were adequately hashed, so the only accounts compromised were likely those with very weak passwords.
Perhaps the DDOS attack is merely a way to distract Linode from finding the compromised accounts.
https://blog.linode.com/