Linode disappoints ...

It all started on April 12th with an email from Linode:

Linode administrators have discovered and blocked suspicious activity on the Linode network. This activity appears to have been a coordinated attempt to access the account of one of our customers. This customer is aware of this activity and we have determined its extent and impact. We have found no evidence that any Linode data of any other customer was accessed. In addition, we have found no evidence that payment information of any customer was accessed.

etc … etc

I did not think much of it. After all, if something is on the Internet, it is going to be attacked sooner or later. Heck, I get daily notifications of people trying to access sinan at yahoo dot com and my security logs are full of attempts to log on to my VPS using well known user names. Keep in mind: Don’t allow password logins for SSH, and don’t copy your private key to the server.

So, yesterday brings some rumblings, including this email from a person I trust:

Subject: Linode's been hacked

Then, this. Then, this.

At the heart of the issue is a chat log and a directory listing of a web server. As I go to bed, there is no real information from Linode.

While a vulnerability that allows someone access to the public directory of a web server would hardly be news, the chat log also includes more serious claims.

This morning brought an update from Linode.

this group gained access to a web server, parts of our source code, and ultimately, our database. We have been working around the clock since discovering this vulnerability. Our investigation reveals that this group did not have access to any other component of the Linode infrastructure, including access to the host machines or any other server or service that runs our infrastructure.

Credit card numbers in our database are stored in encrypted format, using public and private key encryption. The private key is itself encrypted with passphrase encryption and the complex passphrase is not stored electronically. Along with the encrypted credit card, the last four digits are stored in clear text to assist in lookups and for display on things like your Account tab and payment receipt emails. We have no evidence decrypted credit card numbers were obtained.

At this point, I do not fully understand all the ramifications of this breach, but it is making me very uncomfortable.

I have been singing Linode’s praises for such a long time that this was a real blow to my image of them. I am not sure how to proceed right now, but the praise is on hold for the moment.

Update: 2013/05/28: I decided to stay with Linode after some consideration.