Slashdot: Linode hacked, CCs and passwords leaked

http://slashdot.org/firehose.pl?op=view … id=2603667">http://slashdot.org/firehose.pl?op=view&type=submission&id=2603667

An anonymous reader writes "On Friday Linode announced a precautionary password reset due to an attack despite claiming that they were not compromised. The attacker has claimed otherwise, claiming to have obtained card numbers and password hashes. Password hashes, source code fragments and directory listings have been released as proof. Linode has yet to comment on or deny these claims."

26 Replies

There is more discussion about this topic over on HackerNews: https://news.ycombinator.com/item?id=5552756

I'd really like to hear confirmation from Linode if CCs were taken or not.

EDIT: re-reading Linode's blog post, it says:
> In addition, we have found no evidence that payment information of any customer was accessed.
So I guess we can assume not CCs were taken.

Nothing anybody on slashdot or ycombinator linked to demonstrates that anything more than the linode.com webserver and forums were compromised. There was a claim that Linode stored customer credit card information on a compromised server effectively unprotected (encrypted but keys stored in the same location), but there was no evidence of this provided.

I'm a little suspicious that I was allowed to just type in my new password twice in order to reset.

Doesn't changing the password from within the usual linode manager interface…

… like, I thought it requires the old password be entered in order to reset a password or make other changes?

@kuzetsa:

I'm a little suspicious that I was allowed to just type in my new password twice in order to reset.

Doesn't changing the password from within the usual linode manager interface…

… like, I thought it requires the old password be entered in order to reset a password or make other changes?
You had to log in first with a original password. You should also have gotten notification that you password changed via email to your contact email address.

I went and changed it again a few hours later using the normal password change process.

@Guspaz:

Nothing anybody on slashdot or ycombinator linked to demonstrates that anything more than the linode.com webserver and forums were compromised. There was a claim that Linode stored customer credit card information on a compromised server effectively unprotected (encrypted but keys stored in the same location), but there was no evidence of this provided.
Then you aren't reading: http://seclists.org/nmap-dev/2013/q2/3

Seclist admin clearly states:

> I'm sorry for the downtime over the last week, but someone compromised our hosting provider (Linode) and used that access to break into some of our virtual private server (VPS) systems.

A lookup on the IP address for nmap.org shows that the NMAP website is hosted on a Linode server. I would assume that the attackers wishing to comprimise the nmap.org website (and the NMAP tool) noticed that the reverse lookup on that IP address showed up as ending with ".members.linode.com", and started their directed attack from there. As Linode themselves stated, the attack on Linode was directed at one specific customer/account, assuming with a brute force attack, so it's most likely that if any account was comprimised, it was limited to that specific account.

> As Linode themselves stated, the attack on Linode was directed at one specific customer/account, assuming with a brute force attack, so it's most likely that if any account was comprimised, it was limited to that specific account.

Yea, and they just also stated that they did take credit card details.

> As a result of the vulnerability, this group gained access to a web server, parts of our source code, and ultimately, our database.

This is why I ALWAYS use one-use credit cards for online purchases.

Pretty much any big credit card vendor offers them.

Then if they're lost/stolen/hacked - they're already used and of ZERO value.

We really need more details concerning this incident… was it a brute force password attack such as that we're seeing against WordPress? It certainly doesn't sound like that from the information available. Linode needs to provide additional details, what vulnerability? What fix?

Is this a case of doing the right thing or lawyer-ing up?

Hopefully, it's an unknown vulnerability and Linode is just allowing time for developers to close the loophole before disclosing the actual details. Hopefully!

@MichaelMcNamara:

We really need more details concerning this incident… was it a brute force password attack such as that we're seeing against WordPress? It certainly doesn't sound like that from the information available. Linode needs to provide additional details, what vulnerability? What fix?

Is this a case of doing the right thing or lawyer-ing up?

Hopefully, it's an unknown vulnerability and Linode is just allowing time for developers to close the loophole before disclosing the actual details. Hopefully!

Read the blog: http://blog.linode.com/2013/04/16/secur … nt-update/">http://blog.linode.com/2013/04/16/security-incident-update/

Linode breached again?? Seriously not impressed

@OverlordQ:

> As Linode themselves stated, the attack on Linode was directed at one specific customer/account, assuming with a brute force attack, so it's most likely that if any account was comprimised, it was limited to that specific account.

Yea, and they just also stated that they did take credit card details.

> As a result of the vulnerability, this group gained access to a web server, parts of our source code, and ultimately, our database.

Where did you see that? I didn't see it in the couple of articles I read.

@lvthunder:

Where did you see that? I didn't see it in the couple of articles I read.

Look two posts above yours.

Dammit, This is really worrying. It's one phone call to get a credit card canceled and a new one in the post. If I'm not told I can't make that call.

I'd be interested in finding out who was trying to h4x0r nmap though.

EDIT: Thought I was on slashdot and commented without reading the blog.

@vonskippy:

This is why I ALWAYS use one-use credit cards for online purchases.

Pretty much any big credit card vendor offers them.

Then if they're lost/stolen/hacked - they're already used and of ZERO value.

Hi,

What do you mean by one-use credit cards? Is it similar to pre-paid cards?

@minerva:

@vonskippy:

This is why I ALWAYS use one-use credit cards for online purchases.

Pretty much any big credit card vendor offers them.

Then if they're lost/stolen/hacked - they're already used and of ZERO value.

Hi,

What do you mean by one-use credit cards? Is it similar to pre-paid cards?

I think he is referring to how most credit card companies will allow you to generate a new credit card number on their website. You can generally specify how much can be spent on that new number, and whether it can only be used once, monthly, or other.

For example, you could setup a number to use for Linode that would allow a $20 transaction every month and no more. If the number got stolen, it would be worthless to anyone.

@eld101:

@minerva:

@vonskippy:

This is why I ALWAYS use one-use credit cards for online purchases.

Pretty much any big credit card vendor offers them.

Then if they're lost/stolen/hacked - they're already used and of ZERO value.

Hi,

What do you mean by one-use credit cards? Is it similar to pre-paid cards?

I think he is referring to how most credit card companies will allow you to generate a new credit card number on their website. You can generally specify how much can be spent on that new number, and whether it can only be used once, monthly, or other.

For example, you could setup a number to use for Linode that would allow a $20 transaction every month and no more. If the number got stolen, it would be worthless to anyone.

Never seen those before are they a USA thing? (I'm in the UK)

Never heard of such a thing in Canada.

I'm from the UK but work all over the place. I've heard of these single use credit card numbers and I've tried to get them out of my bank from time to time. I've never succeed.

They are an amazing security measure and should be used far more often.

@eld101:

@minerva:

@vonskippy:

This is why I ALWAYS use one-use credit cards for online purchases.

Pretty much any big credit card vendor offers them.

Then if they're lost/stolen/hacked - they're already used and of ZERO value.

Hi,

What do you mean by one-use credit cards? Is it similar to pre-paid cards?

I think he is referring to how most credit card companies will allow you to generate a new credit card number on their website. You can generally specify how much can be spent on that new number, and whether it can only be used once, monthly, or other.

For example, you could setup a number to use for Linode that would allow a $20 transaction every month and no more. If the number got stolen, it would be worthless to anyone.

From UK as well. Never heard of this. But it sounds good security measure.

I try to use a credit card with low limit wherever possible. Any credit card companies in the UK to introduce this first, would score a good USP.

Maybe this will clear up a few things…

http://lmgtfy.com/?q=one+time+credit+card+number

Might be a States thing, last I checked, EC Karte (Germany) didn't offer virtual (one shot) numbers.

@vonskippy:

Maybe this will clear up a few things…

http://lmgtfy.com/?q=one+time+credit+card+number

Might be a States thing, last I checked, EC Karte (Germany) didn't offer virtual (one shot) numbers.

It's usually bank dependent, not network dependent.

The thing is with credit cards you are covered anyway. The retailer gets screwed on fraudulent transactions as long as you report them so there isn't much reason for customers to go to extra lengths when they don't take the loss anyway. I guess that's why few banks offer them, people just can't be bothered.

I'd use them if I could get them but I've never managed to find a bank that would cooperate.

We have these in Portugal and I use it everywhere.

There is a one time use and 12 month duration, in both cases we define a limit.

It's a veryh secure service. These virtual credit cards are connected to you Bank account.

Well, today is May 1st, the day our CC information was supposedly going to be released according to the individual who claimed to have hacked Linode.

Shortly after Linode's later blog entry, the individual came on #linode and proclaimed to have shredded the data.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct