A security investigation into the unauthorized login of three accounts has led us to the discovery of two Linode.com user credentials on an external machine. This implies user credentials could have been read from our database, either offline or on, at some point. The user table contains usernames, email addresses, securely hashed passwords and encrypted two-factor seeds. The resetting of your password will invalidate the old credentials.

This may have contributed to the unauthorized access of the three Linode customer accounts mentioned above, which were logged into via manager.linode.com. The affected customers were notified immediately. We have found no other evidence of access to Linode infrastructure, including host machines and virtual machine data.

The entire Linode team has been working around the clock to address both this issue and the ongoing DDoS attacks. We’ve retained a well-known third-party security firm to aid in our investigation. Multiple Federal law enforcement authorities are also investigating and have cases open for both issues. When the thorough investigation is complete, we will share an update on the findings.

Now’s a good time to change all your passwords and audit your servers.

None of this means that Linode has been irresponsible, at least that we know of. Security is hard, and this kind of thing can and will happen to any and every clowd provider. It’s only a matter of time before Amazon gets hit.

Regular server audits and password changes are critical for anything that’s connected to the internet, which at this point is more and more of the things. It’s good practice to have some kind of security policy in place, regardless of the technology you’re using. Policy is just as much a part of security as the technical aspect.