Linode forces password reset for all users due to suspected breach
New Jersey-based virtual private server provider Linode can’t seem to catch a break. After being repeatedly hit with DDoS attacks from December 24 to early January, the company announced on Tuesday that they have reset Linode Manager passwords for all users.
“A security investigation into the unauthorized login of three accounts has led us to the discovery of two Linode.com user credentials on an external machine. This implies user credentials could have been read from our database, either offline or on, at some point,” they explained.
“The user table contains usernames, email addresses, securely hashed passwords and encrypted two-factor seeds. The resetting of your password will invalidate the old credentials.”
“This may have contributed to the unauthorized access of the three Linode customer accounts mentioned above, which were logged into via manager.linode.com. The affected customers were notified immediately. We have found no other evidence of access to Linode infrastructure, including host machines and virtual machine data,” they added.
The company still doesn’t know for sure yet whether the recent DDoS attacks it suffered were executed by the same person or group, as a way of keeping employees concentrated on other things while the attackers tried to find a way into the company’s systems, networks and databases.
“At this point we have no information about who is behind either issue. We have not been contacted by anyone taking accountability or making demands. The acts may be related and they may not be,” they concluded.
In the meantime, they have called in a “well-known third-party security firm” to help with the investigation, so hopefully more details will be available soon.