Slashdot: Linode hacked, CCs and passwords leaked
An anonymous reader writes "On Friday Linode announced a precautionary password reset due to an attack despite claiming that they were not compromised. The attacker has claimed otherwise, claiming to have obtained card numbers and password hashes. Password hashes, source code fragments and directory listings have been released as proof. Linode has yet to comment on or deny these claims."
26 Replies
I'd really like to hear confirmation from Linode if CCs were taken or not.
EDIT: re-reading Linode's blog post
> In addition, we have found no evidence that payment information of any customer was accessed.
So I guess we can assume not CCs were taken.
Doesn't changing the password from within the usual linode manager interface…
… like, I thought it requires the old password be entered in order to reset a password or make other changes?
@kuzetsa:
I'm a little suspicious that I was allowed to just type in my new password twice in order to reset.
Doesn't changing the password from within the usual linode manager interface…
… like, I thought it requires the old password be entered in order to reset a password or make other changes?
You had to log in first with a original password. You should also have gotten notification that you password changed via email to your contact email address.
I went and changed it again a few hours later using the normal password change process.
@Guspaz:
Nothing anybody on slashdot or ycombinator linked to demonstrates that anything more than the linode.com webserver and forums were compromised. There was a claim that Linode stored customer credit card information on a compromised server effectively unprotected (encrypted but keys stored in the same location), but there was no evidence of this provided.
Then you aren't reading:http://seclists.org/nmap-dev/2013/q2/3
Seclist admin clearly states:
> I'm sorry for the downtime over the last week, but someone compromised our hosting provider (Linode) and used that access to break into some of our virtual private server (VPS) systems.
> As Linode themselves stated, the attack on Linode was directed at one specific customer/account, assuming with a brute force attack, so it's most likely that if any account was comprimised, it was limited to that specific account.
Yea, and they just also stated that they did take credit card details.
> As a result of the vulnerability, this group gained access to a web server, parts of our source code, and ultimately, our database.
Pretty much any big credit card vendor offers them.
Then if they're lost/stolen/hacked - they're already used and of ZERO value.
Is this a case of doing the right thing or lawyer-ing up?
Hopefully, it's an unknown vulnerability and Linode is just allowing time for developers to close the loophole before disclosing the actual details. Hopefully!
@MichaelMcNamara:
We really need more details concerning this incident… was it a brute force password attack such as that we're seeing against WordPress? It certainly doesn't sound like that from the information available. Linode needs to provide additional details, what vulnerability? What fix?
Is this a case of doing the right thing or lawyer-ing up?
Hopefully, it's an unknown vulnerability and Linode is just allowing time for developers to close the loophole before disclosing the actual details. Hopefully!
Read the blog:
@OverlordQ:
> As Linode themselves stated, the attack on Linode was directed at one specific customer/account, assuming with a brute force attack, so it's most likely that if any account was comprimised, it was limited to that specific account.Yea, and they just also stated that they did take credit card details.
> As a result of the vulnerability, this group gained access to a web server, parts of our source code, and ultimately, our database.
Where did you see that? I didn't see it in the couple of articles I read.
@lvthunder:
Where did you see that? I didn't see it in the couple of articles I read.
Look two posts above yours.
I'd be interested in finding out who was trying to h4x0r nmap though.
EDIT: Thought I was on slashdot and commented without reading the blog.
@vonskippy:
This is why I ALWAYS use one-use credit cards for online purchases.
Pretty much any big credit card vendor offers them.
Then if they're lost/stolen/hacked - they're already used and of ZERO value.
Hi,
What do you mean by one-use credit cards? Is it similar to pre-paid cards?
@minerva:
@vonskippy:This is why I ALWAYS use one-use credit cards for online purchases.
Pretty much any big credit card vendor offers them.
Then if they're lost/stolen/hacked - they're already used and of ZERO value.
Hi,
What do you mean by one-use credit cards? Is it similar to pre-paid cards?
I think he is referring to how most credit card companies will allow you to generate a new credit card number on their website. You can generally specify how much can be spent on that new number, and whether it can only be used once, monthly, or other.
For example, you could setup a number to use for Linode that would allow a $20 transaction every month and no more. If the number got stolen, it would be worthless to anyone.
@eld101:
@minerva:
@vonskippy:This is why I ALWAYS use one-use credit cards for online purchases.
Pretty much any big credit card vendor offers them.
Then if they're lost/stolen/hacked - they're already used and of ZERO value.
Hi,
What do you mean by one-use credit cards? Is it similar to pre-paid cards?
I think he is referring to how most credit card companies will allow you to generate a new credit card number on their website. You can generally specify how much can be spent on that new number, and whether it can only be used once, monthly, or other.
For example, you could setup a number to use for Linode that would allow a $20 transaction every month and no more. If the number got stolen, it would be worthless to anyone.
Never seen those before are they a USA thing? (I'm in the UK)
They are an amazing security measure and should be used far more often.
@eld101:
@minerva:
@vonskippy:This is why I ALWAYS use one-use credit cards for online purchases.
Pretty much any big credit card vendor offers them.
Then if they're lost/stolen/hacked - they're already used and of ZERO value.
Hi,
What do you mean by one-use credit cards? Is it similar to pre-paid cards?
I think he is referring to how most credit card companies will allow you to generate a new credit card number on their website. You can generally specify how much can be spent on that new number, and whether it can only be used once, monthly, or other.
For example, you could setup a number to use for Linode that would allow a $20 transaction every month and no more. If the number got stolen, it would be worthless to anyone.
From UK as well. Never heard of this. But it sounds good security measure.
I try to use a credit card with low limit wherever possible. Any credit card companies in the UK to introduce this first, would score a good USP.
Might be a States thing, last I checked, EC Karte (Germany) didn't offer virtual (one shot) numbers.
@vonskippy:
Maybe this will clear up a few things…
http://lmgtfy.com/?q=one+time+credit+card+number Might be a States thing, last I checked, EC Karte (Germany) didn't offer virtual (one shot) numbers.
It's usually bank dependent, not network dependent.
I'd use them if I could get them but I've never managed to find a bank that would cooperate.
There is a one time use and 12 month duration, in both cases we define a limit.
It's a veryh secure service. These virtual credit cards are connected to you Bank account.