http://slashdot.org/firehose.pl?op=view ... id=2603667

An anonymous reader writes "On Friday Linode announced a precautionary password reset due to an attack despite claiming that they were not compromised. The attacker has claimed otherwise, claiming to have obtained card numbers and password hashes. Password hashes, source code fragments and directory listings have been released as proof. Linode has yet to comment on or deny these claims."

There is more discussion about this topic over on HackerNews: https://news.ycombinator.com/item?id=5552756

I'd really like to hear confirmation from Linode if CCs were taken or not.

EDIT: re-reading Linode's blog post, it says:

So I guess we can assume not CCs were taken.

Nothing anybody on slashdot or ycombinator linked to demonstrates that anything more than the linode.com webserver and forums were compromised. There was a claim that Linode stored customer credit card information on a compromised server effectively unprotected (encrypted but keys stored in the same location), but there was no evidence of this provided.

I'm a little suspicious that I was allowed to just type in my new password twice in order to reset.

Doesn't changing the password from within the usual linode manager interface...

... like, I thought it requires the old password be entered in order to reset a password or make other changes?

You had to log in first with a original password. You should also have gotten notification that you password changed via email to your contact email address.

I went and changed it again a few hours later using the normal password change process.

_________________
Kevin a.k.a. Dweeber

Then you aren't reading: http://seclists.org/nmap-dev/2013/q2/3

Seclist admin clearly states:

A lookup on the IP address for nmap.org shows that the NMAP website is hosted on a Linode server. I would assume that the attackers wishing to comprimise the nmap.org website (and the NMAP tool) noticed that the reverse lookup on that IP address showed up as ending with ".members.linode.com", and started their directed attack from there. As Linode themselves stated, the attack on Linode was directed at one specific customer/account, assuming with a brute force attack, so it's most likely that if any account was comprimised, it was limited to that specific account.

Yea, and they just also stated that they did take credit card details.

This is why I ALWAYS use one-use credit cards for online purchases.

Pretty much any big credit card vendor offers them.

Then if they're lost/stolen/hacked - they're already used and of ZERO value.

_________________
Either provide enough details for people to help, or sit back and listen to the crickets chirp.
Security thru obscurity is a myth - and really really annoying.

We really need more details concerning this incident... was it a brute force password attack such as that we're seeing against WordPress? It certainly doesn't sound like that from the information available. Linode needs to provide additional details, what vulnerability? What fix?

Is this a case of doing the right thing or lawyer-ing up?

Hopefully, it's an unknown vulnerability and Linode is just allowing time for developers to close the loophole before disclosing the actual details. Hopefully!

Read the blog: http://blog.linode.com/2013/04/16/secur ... nt-update/

Linode breached again?? Seriously not impressed

Where did you see that? I didn't see it in the couple of articles I read.

Look two posts above yours.

Dammit, This is really worrying. It's one phone call to get a credit card canceled and a new one in the post. If I'm not told I can't make that call.

I'd be interested in finding out who was trying to h4x0r nmap though.

EDIT: Thought I was on slashdot and commented without reading the blog.