Cloud hosting company Linode informed customers on Tuesday that it has reset their Linode Manager passwords after discovering user credentials on an external machine.
The company found credentials for two Linode.com accounts while investigating unauthorized access to three accounts. Linode believes that, at some point, user credentials could have been read from its database, either online or offline.
The exposed database included a user table containing usernames, email addresses, password hashes, and encrypted two-factor authentication seeds.
Linode said the exposed user credentials might have been used to access the three breached accounts. The company hasn’t found any evidence to suggest that its infrastructure, including virtual machine data and host machines, have been accessed by unauthorized parties.
A massive distributed denial-of-service (DDoS) campaign was launched against Linode’s infrastructure on December 25 and it continues to this day. The attackers have targeted the company’s websites, data centers and DNS infrastructure.
Just before New Year’s Eve, Linode network engineer Alex Forster reported that the attacker had purchased large amounts of botnet capacity in an attempt to cause significant damage to Linode’s business.
The company has been hit by multiple volumetric attacks directed toward its authoritative nameservers and public websites, Layer 7 attacks against web and application servers, and large volumetric attacks against its network infrastructure and the upstream interconnection points of its colocation provider. By December 31, there had been more than 30 significant attacks.
It’s unclear who is targeting the company, or if the same group or person is behind both the DDoS and unauthorized access. No one has taken credit for the attacks and there haven’t been any demands, Linode said.
The firm is working with law enforcement authorities and a third-party security company to investigate the incidents.
Connection to PagerDuty Breach
In July 2015, operations performance management company PagerDuty advised customers to change their passwords after discovering that its systems had been breached. The company noted at the time that the attacker bypassed multiple layers of authentication and gained access to an administrative panel provided by one of its hosting providers, but no other details were shared about how the attacker got in.
In a post published on Hacker News on Tuesday, a PagerDuty employee said the July attack was conducted via the Linode Manager. PagerDuty determined at the time that the incident likely occurred due to a breach of Linode’s database.
“In our situation the attacker knew one of our user's passwords and MFA secret. This allowed them to provide valid authentication credentials for an account in the Linode Manager. It's worth noting that all of our active user accounts had two-factor authentication enabled. An interesting data point was that the user who had their account compromised was no longer in possession of the MFA secret themselves. Their cell phone had been reset (thus deleting all data) 8 months prior. The user could not log in to the Linode Manager if they wanted, so it was our determination that the key could not have been obtained from the user and was more likely on Linode's side,” the PagerDuty employee explained.
“We also have evidence from access logs provided by Linode that the attackers tried to authenticate as an ex-employee, whose username ONLY existed in the Linode database. It was absolutely unique and was not used elsewhere by the employee making the username an accidental honeypot. This was another piece of data supporting that Linode was the source of our compromise,” he added.