The attackers who compromised Web hosting provider Linode used a zero day vulnerability in Adobe ColdFusion and were able to access the company’s database, source code and customers’ credit card numbers and passwords. The company said that the customer credit card numbers were encrypted, as were the passwords, but it forced a system-wide password reset after the attack was discovered.
The attack on Linode was described by the company on Monday, a few days after it said that one of its customers was compromised. The details of the attack are quite similar to other attacks that have resulted in password leaks and database breaches, aside from the use of the ColdFusion zero day. Many of these operations tend to be executed through the use of stolen or compromised credentials or a known bug in one of the targeted systems.
The ColdFusion vulnerability used in the Linode attack was patched by Adobe on April 9.
“As a result of the vulnerability, this group gained access to a web server, parts of our source code, and ultimately, our database. We have been working around the clock since discovering this vulnerability. Our investigation reveals that this group did not have access to any other component of the Linode infrastructure, including access to the host machines or any other server or service that runs our infrastructure,” Linode officials said.
“Credit card numbers in our database are stored in encrypted format, using public and private key encryption. The private key is itself encrypted with passphrase encryption and the complex passphrase is not stored electronically. Along with the encrypted credit card, the last four digits are stored in clear text to assist in lookups and for display on things like your Account tab and payment receipt emails. We have no evidence decrypted credit card numbers were obtained.”
The company said that customer passwords are not stored in the Linode database. However, the company does store salted hashes of those passwords, and that’s what the attacker accessed. Those hashes should be of no use to the attacker, but the company decided to reset all customer passwords anyway.