It technically wasn't broken into the same sense as someone hacking it. Someone had login credentials, logged in, did stuff. Linode knows exactly who was affected, and there's no risk at all of this affecting you if you haven't received a notification already. There simply isn't any need for an immediate notification to every customer when we know for sure that only a very specific set was affected and nobody else will be affected in the future.

There is a necessity to give some information to the general public about what had happened, sure, but they did that. Emails should only be used if people are required to take some sort of action. If you want to get status updates in general quickly, subscribe to the feed on status.linode.com. You can probably even get that as an email through some service.

In that case - how did the attacker(s) gain this level of access? How do we know that they no longer have this level of access? If those credentials are no longer valid, how do we know that the attacker cannot acquire new credentials and wreak more havoc?

Essentially, all we are told is 'someone had access, and did bad things. we removed said access.'

Not very informative.

Not to add oil to the fire but as far as I can see, there is nothing in the status update to give the impression that it "wasn't broken into the same sense as someone hacking it."

It could easily have been and the status update would still make sense. I think Linode is being deliberately vague at this point so as not to commit either way.

I do know a bit about this world that we are discussing, from both sides of the coin

I suspect finding out exactly how the attackers stumbled upon those credentials will take some more research. But it not reasonable to assume every single credential is also vulnerable. If someone gains unauthorized access to my system using credentials one of my users had written down somewhere, I would, as a system administrator, not then assume the login credentials of every account had become vulnerable. If the attackers did have more extensive access than a simple login credential, then it seems foolish to go through a process where their actions are immediately obvious and logged when they could simply just do whatever they wanted directly.

So either they're so smart they've been able to gain some kind of superprivileged access to the system, yet dumb enough to not use it, or this is simply a case of one login credential getting used by the wrong people. My money would be on the latter.

Why does everyone go out of their way to construct a movie plot threat out of this?

Yes, the status update was a bit vague, I completely agree. After all, it was written only some hours after the event had occured, I suspect it's more a case of limited knowledge at the time rather than a conspiracy to keep people in the dark.

From my understanding, they got a login/password belonging to one of the Linode support reps - the first level of people who receive your support tickets. Logged in as him, and used the "reset root password for node" option for eight nodes. Everything was logged in audit trail, so Linode knows what happened.
I sure hope I'm not mistaken about it, and we should demand a more detailed report - but in a reasonable time from now. Give'em at least a week to respond before starting a riot.

_________________
rsk, providing useless advice on the Internet since 2005.

Somewhat off topic maybe but Slicehost / Rackspace forum just got rooted

http://www.rackspace.com/knowledge_center/content/slicehost-forum-archive-migration-and-conversion

Need a new best practices manual.

Why does this sound familiar?

Two hosting companies within a day of each other...

_________________
If all else fails, reboot...
PHP Tutorials and MySQL Tutorials

The attacker somehow got the login credentials of a Support Rep, yet, knew EXACTLY which eight accounts to target.

How?


It's very likely that the attacker was from the inside, or had MUCH more access than we're told. How else would they know which (independent) accounts to target?

Again, not knocking Linode (they're great and I've told them this many times in the past), but something is amiss here.

Agreed. Linode may want to give us some more information soon to calm our wild imaginations...

_________________
If all else fails, reboot...

PHP Tutorials and MySQL Tutorials

I'm pretty sure there's nothing more they can really say that would quiet the more active imaginations.

See "birthers", for reference.

My neighbors friend has an uncle that knew someone that read on Hacker News that Linode will be sending out partial rolls of generic tinfoil in the next billing cycle, and will include not three, but four unique ways to fold them into tinfoil hats guaranteed to protect you from the outer space Nargles and the local FBI.

All of the victims were Bitcoin dealers. Machines running Bitcoin software are readily identifiable through a port scan or through transaction records with other Bitcoin machines. Once you know which IP addresses to target, it would be trivially easy for someone who has the credentials of a support rep to figure out exactly which accounts to break into.

See what you did? Injected actual facts into the tinfoil hat party, and totally killed it!

Any updates with more details on what happened?

_________________
My homepage