The hackers – a group calling itself HTP – used vulnerabilities in Adobe ColdFusion (CVE-2013-1387 and CVE-2013-1388) to carry out the operation. Ironically, it’s a vulnerability that Adobe patched less than a week ago.
“We have been working around the clock since discovering this vulnerability,” the company said in its blog. “Our investigation reveals that this group did not have access to any other component of the Linode infrastructure, including access to the host machines or any other server or service that runs our infrastructure.”
Linode said the good news is there is no evidence that decrypted credit card numbers were obtained. Credit card numbers in the database are stored in encrypted format, using public and private key encryption, it explained. And, the private key is itself encrypted with passphrase encryption and the complex passphrase is not stored electronically.
Meanwhile, when it comes to all-important passwords, the company was quick to point out that Linode Manager user passwords are not stored in its database, but their salted and cryptographically hashed representations are. “Despite the uselessness of these hashes, as you know we expired Linode Manager passwords on Friday,” the company said.
The company also said that while there are occurrences of Lish passwords in clear text in the database, it has invalidated all affected Lish passwords, so that users must reset a new Lish password.
For users who have set an API key, the company is also “taking action to expire those keys” and is emailing those affected with new information.
“We take your trust and confidence in us very seriously, and we truly apologize for the inconvenience that these individuals caused,” the company said by way of mea culpa. “Our entire team has been affected by this, leaving all of us, like you, feeling violated. We care deeply about the integrity of Linode and are proud of the work that we accomplish here for you. This unfortunate incident has only strengthened our commitment to you, our customer.”