Linode, a virtual private server provider, has reset all users’ Manager passwords following a possible breach into one of its databases.
According to a security update posted on Linode’s status page, this reset comes as the result of an investigation into unauthorized activity with regards to a few users’ accounts:
“A security investigation into the unauthorized login of three accounts has led us to the discovery of two Linode.com user credentials on an external machine,” the update explains. “This implies user credentials could have been read from our database, either offline or on, at some point. The user table contains usernames, email addresses, securely hashed passwords and encrypted two-factor seeds. The resetting of your password will invalidate the old credentials.”
The post goes on to note that the affected customers have been notified and that the Linode team, who is working with a third-party security firm as well as with federal law enforcement officers, has not found any further evidence of unauthorized access to the its infrastructure, including VM data and host machines.
At this time, it is unclear how the breach against Linode occurred. Eduard Kovacs of Security Week writes that Linode’s database might have been compromised sometime last year and subsequently used to launch an attack against operations performance management company PagerDuty, which itself implemented a password reset after it found that attackers had infiltrated its systems back in July.
“In our situation the attacker knew one of our user’s passwords and MFA secret,” a PagerDuty employee recounts on Hacker News. “This allowed them to provide valid authentication credentials for an account in the Linode Manager. It’s worth noting that all of our active user accounts had two-factor authentication enabled. An interesting data point was that the user who had their account compromised was no longer in possession of the MFA secret themselves. Their cell phone had been reset (thus deleting all data) 8 months prior. The user could not log in to the Linode Manager if they wanted, so it was our determination that the key could not have been obtained from the user and was more likely on Linode’s side.”
They added: “We also have evidence from access logs provided by Linode that the attackers tried to authenticate as an ex-employee, whose username ONLY existed in the Linode database. It was absolutely unique and was not used elsewhere by the employee making the username an accidental honeypot. This was another piece of data supporting that Linode was the source of our compromise.”
Alternatively, the breach may be connected to a recent series of DDoS attacks against the provider.
Alex Forster, a network engineer at the company, explains in a separate update how Linode began experiencing a series of “large and frequent DDoS attacks” beginning on Christmas Day. This holiday DDoS campaign consisted of large volumetric attacks against the provider’s authoritative nameservers, public-facing websites, colocation provider’s upstream interconnection points, and network infrastructure, as well as Layer 7 attacks against its web and application servers.
An update posted on Wednesday reveals that Linode believes to have mitigated the attacks after 10 days of connectivity problems. However, as The Register notes, these attacks might have provided the perfect distraction for attackers to target other parts of Linode’s infrastructure, namely its database.
All Linode customers are urged to update their passwords as soon as possible.
News of this password reset and DDoS campaign follow on the heels of a threat made by a group called Phantom Squad to bring down Xbox Live and PlayStation Network on Christmas Day last year. (The DDoS attack never came, unlike Lizard Squad’s similar attack in 2014.)