Attackers gain access to Linode customer data
Hosting company Linode has published details on an attack on their servers that saw unknown hackers penetrate the company's network and access customer information including credit card data. The company had said on Friday that attackers had compromised the account of one of its customers but has now clarified that the attackers gained access to one of its web servers and in the process to part of its backend code and the customer database. The company says that according to its investigation of the matter, the attackers did not have access to any other parts of its infrastructure, including host machines or other infrastructure servers.
Despite the fact that customer passwords for the server management application are stored salted and cryptographically hashed, the company forced a reset on all passwords on Friday and says it has informed all of its customers of the problem. The database that the attackers had access to also included the credit card information of all of Linode's customers. The company says this data was also encrypted and secured with a pass phrase that was not stored electronically. The last four digits of the credit card number were stored in clear text to identify the credit cards. Linode says it has "no evidence decrypted credit card numbers were obtained."
The company says that it will correct the instances where plain text passwords for its Lish (Linode Shell) remote administration tool were stored in its database and that it has also invalidated all passwords affected by this. Additionally, it will issue new API keys to its customers as these were also stored on the breached system.
The attackers gained access to Linode's systems through a vulnerability in ColdFusion. This security problem was fixed by Adobe as part of its Patch Tuesday fixes on 9 April. Adobe has not yet published details on the problem but it is known that the two security holes covered by the patch allow unauthorised users to gain access to the ColdFusion administrator interface.