Linode Hacked, Credit Cards and Passwords Leaked 112
An anonymous reader writes "On Friday Linode announced a precautionary password reset due to an attack despite claiming that they were not compromised. The attacker has claimed otherwise, claiming to have obtained card numbers and password hashes. Password hashes, source code fragments and directory listings have been released as proof. Linode has yet to comment on or deny these claims."
Some more details (Score:5, Informative)
Some details that people have been able to find so far.
1) The guy claimed to have hacked ColdFusion using some 0-day exploit. He could have just been going off this recent Adobe bulletin. But this bulletin was before the Linode announcement, so who knows. http://www.adobe.com/support/security/bulletins/apsb13-10.html [adobe.com]
2) One of the files in the directory list that has a unique name is actually accessible on linode.com: http://www.linode.com/y_key_57284cb2de704e02.html [linode.com]
3) Looks like seclists (nmap people) were targeted by this hack: http://seclists.org/nmap-dev/2013/q2/3 [seclists.org]
4) It is not clear if credit cards were compromised or not. While this "ryan" guy claims they were, we won't know unless the list is published or Linode admits to it.
Re:Nonsense (Score:3, Informative)
ColdFusion got exploited which is made by our friends at Adobe who just love riddling their products with security flaws.
Re:Oh FFS (Score:4, Informative)
Besides it looks like the breach was beyond their direct control and was a flaw in cold fusion.
Except ryan_ in the chatlogs (which you obviously didn't bother to read) stated that Linode has set up their ColdFusion environment in a very insecure way. They apparently don't follow best practices. Not saying ColdFusion isn't shit, but it's still Linode's fault.
Hashes aren't passwords (unless they're DES) (Score:2, Informative)
TFS: "hashes of passwords leaked
That's a HUGE difference. Proper hashes of proper passwords may as well be public. It'd take billions of years to crack them. Unless of course Linode is still living in 1972 and using DES hashes, which may as well be plain text.
Linode, if you WERE using DES hashes, call me. We have some work to fo on your susyems. The people who designed your systems clearly aren't knowledgeable enough in security that they can be trusted to fix the problems they created.
Capital One - not in my wallet! (Score:4, Informative)