Cloud-based webhost Linode absorbed another body blow on Tuesday when it said it was resetting customer passwords after a suspected breach. The development compounded the company’s existing woes as it continues to battle a distributed denial-of-service attack that began on Christmas.
A Linode representative said late Tuesday its executives were unavailable for comment and that an investigation was ongoing.
The password breach was announced after the company said three accounts were accessed without permission and it discovered two Linode.com user credentials on an “external machine.”
“This implies user credentials could have been read from our database, either offline or on, at some point,” Linode said in an advisory to customers. “The user table contains usernames, email addresses, securely hashed passwords and encrypted two-factor seeds. The resetting of your password will invalidate the old credentials.”
Linode said it notified the customers whose credentials were found on outside machines and said there was no evidence of further intrusion into host or virtual machines. Linode markets its services toward developers and offers quick, scalable solid state driver server deployments.
As of this morning, portions of the Linode website were still inaccessible, and the company said it has not been able to determine whether the DDoS attack and the password breach are related attacks. In the past, experts have warned that criminals will use easy-to-mount DDoS attacks against a target in order to distract IT and security staff away from the real target.
“The entire Linode team has been working around the clock to address both this issue and the ongoing DDoS attacks. We’ve retained a well-known third-party security firm to aid in our investigation. Multiple Federal law enforcement authorities are also investigating and have cases open for both issues. When the thorough investigation is complete, we will share an update on the findings,” Linode said. “You may be wondering if the same person or group is behind these malicious acts. We are wondering the same thing. At this point we have no information about who is behind either issue. We have not been contacted by anyone taking accountability or making demands. The acts may be related and they may not be.”
Linode was relatively quiet about the DDoS attack until a New Year’s Eve blogpost from network engineer Alex Forster. Forster said that a criminal gang was using a botnet to fire bad traffic at Linode’s authoritative nameservers causing DNS outages. All public-facing websites and web and application servers were also targeted, taking down Linode Manager. The attackers also sent traffic at Linode’s colocation provider’s upstream routers and its internal network infrastructure causing packet loss. In all, Forster said there were more than 30 attacks carried out in the week between Christmas and New Year’s Eve.