Connect with us

Hi, what are you looking for?


Incident Response

Linode Resets User Passwords After Breach

Cloud hosting company Linode informed customers on Tuesday that it has reset their Linode Manager passwords after discovering user credentials on an external machine.

Cloud hosting company Linode informed customers on Tuesday that it has reset their Linode Manager passwords after discovering user credentials on an external machine.

The company found credentials for two accounts while investigating unauthorized access to three accounts. Linode believes that, at some point, user credentials could have been read from its database, either online or offline.

The exposed database included a user table containing usernames, email addresses, password hashes, and encrypted two-factor authentication seeds.

Linode said the exposed user credentials might have been used to access the three breached accounts. The company hasn’t found any evidence to suggest that its infrastructure, including virtual machine data and host machines, have been accessed by unauthorized parties.

A massive distributed denial-of-service (DDoS) campaign was launched against Linode’s infrastructure on December 25 and it continues to this day. The attackers have targeted the company’s websites, data centers and DNS infrastructure.

Just before New Year’s Eve, Linode network engineer Alex Forster reported that the attacker had purchased large amounts of botnet capacity in an attempt to cause significant damage to Linode’s business.

The company has been hit by multiple volumetric attacks directed toward its authoritative nameservers and public websites, Layer 7 attacks against web and application servers, and large volumetric attacks against its network infrastructure and the upstream interconnection points of its colocation provider. By December 31, there had been more than 30 significant attacks.

Advertisement. Scroll to continue reading.

It’s unclear who is targeting the company, or if the same group or person is behind both the DDoS and unauthorized access. No one has taken credit for the attacks and there haven’t been any demands, Linode said.

The firm is working with law enforcement authorities and a third-party security company to investigate the incidents.

Connection to PagerDuty Breach

In July 2015, operations performance management company PagerDuty advised customers to change their passwords after discovering that its systems had been breached. The company noted at the time that the attacker bypassed multiple layers of authentication and gained access to an administrative panel provided by one of its hosting providers, but no other details were shared about how the attacker got in.

In a post published on Hacker News on Tuesday, a PagerDuty employee said the July attack was conducted via the Linode Manager. PagerDuty determined at the time that the incident likely occurred due to a breach of Linode’s database.

“In our situation the attacker knew one of our user’s passwords and MFA secret. This allowed them to provide valid authentication credentials for an account in the Linode Manager. It’s worth noting that all of our active user accounts had two-factor authentication enabled. An interesting data point was that the user who had their account compromised was no longer in possession of the MFA secret themselves. Their cell phone had been reset (thus deleting all data) 8 months prior. The user could not log in to the Linode Manager if they wanted, so it was our determination that the key could not have been obtained from the user and was more likely on Linode’s side,” the PagerDuty employee explained.

“We also have evidence from access logs provided by Linode that the attackers tried to authenticate as an ex-employee, whose username ONLY existed in the Linode database. It was absolutely unique and was not used elsewhere by the employee making the username an accidental honeypot. This was another piece of data supporting that Linode was the source of our compromise,” he added.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Artificial Intelligence

Two new surveys stress the need for automation and AI – but one survey raises the additional specter of the growing use of bring...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...