Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Linode Resets User Passwords After Breach

Cloud hosting company Linode informed customers on Tuesday that it has reset their Linode Manager passwords after discovering user credentials on an external machine.

Cloud hosting company Linode informed customers on Tuesday that it has reset their Linode Manager passwords after discovering user credentials on an external machine.

The company found credentials for two Linode.com accounts while investigating unauthorized access to three accounts. Linode believes that, at some point, user credentials could have been read from its database, either online or offline.

The exposed database included a user table containing usernames, email addresses, password hashes, and encrypted two-factor authentication seeds.

Linode said the exposed user credentials might have been used to access the three breached accounts. The company hasn’t found any evidence to suggest that its infrastructure, including virtual machine data and host machines, have been accessed by unauthorized parties.

A massive distributed denial-of-service (DDoS) campaign was launched against Linode’s infrastructure on December 25 and it continues to this day. The attackers have targeted the company’s websites, data centers and DNS infrastructure.

Just before New Year’s Eve, Linode network engineer Alex Forster reported that the attacker had purchased large amounts of botnet capacity in an attempt to cause significant damage to Linode’s business.

The company has been hit by multiple volumetric attacks directed toward its authoritative nameservers and public websites, Layer 7 attacks against web and application servers, and large volumetric attacks against its network infrastructure and the upstream interconnection points of its colocation provider. By December 31, there had been more than 30 significant attacks.

It’s unclear who is targeting the company, or if the same group or person is behind both the DDoS and unauthorized access. No one has taken credit for the attacks and there haven’t been any demands, Linode said.

Advertisement. Scroll to continue reading.

The firm is working with law enforcement authorities and a third-party security company to investigate the incidents.

Connection to PagerDuty Breach

In July 2015, operations performance management company PagerDuty advised customers to change their passwords after discovering that its systems had been breached. The company noted at the time that the attacker bypassed multiple layers of authentication and gained access to an administrative panel provided by one of its hosting providers, but no other details were shared about how the attacker got in.

In a post published on Hacker News on Tuesday, a PagerDuty employee said the July attack was conducted via the Linode Manager. PagerDuty determined at the time that the incident likely occurred due to a breach of Linode’s database.

“In our situation the attacker knew one of our user’s passwords and MFA secret. This allowed them to provide valid authentication credentials for an account in the Linode Manager. It’s worth noting that all of our active user accounts had two-factor authentication enabled. An interesting data point was that the user who had their account compromised was no longer in possession of the MFA secret themselves. Their cell phone had been reset (thus deleting all data) 8 months prior. The user could not log in to the Linode Manager if they wanted, so it was our determination that the key could not have been obtained from the user and was more likely on Linode’s side,” the PagerDuty employee explained.

“We also have evidence from access logs provided by Linode that the attackers tried to authenticate as an ex-employee, whose username ONLY existed in the Linode database. It was absolutely unique and was not used elsewhere by the employee making the username an accidental honeypot. This was another piece of data supporting that Linode was the source of our compromise,” he added.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Cloud Security

VMware described the bug as an out-of-bounds write issue in its implementation of the DCE/RPC protocol. CVSS severity score of 9.8/10.