Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linode Hacked, Credit Cards and Passwords Leaked

Posted by samzenpus on from the protect-ya-neck dept.

An anonymous reader writes "On Friday Linode announced a precautionary password reset due to an attack despite claiming that they were not compromised. The attacker has claimed otherwise, claiming to have obtained card numbers and password hashes. Password hashes, source code fragments and directory listings have been released as proof. Linode has yet to comment on or deny these claims."

5 of 112 comments (clear)

  1. Some more details by Necroman · · Score: 5, Informative

    Some details that people have been able to find so far.

    1) The guy claimed to have hacked ColdFusion using some 0-day exploit. He could have just been going off this recent Adobe bulletin. But this bulletin was before the Linode announcement, so who knows. http://www.adobe.com/support/security/bulletins/apsb13-10.html

    This hotfix resolves a vulnerability that could be exploited to impersonate an authenticated user (CVE-2013-1387).
    This hotfix resolves a vulnerability that could be exploited by an unauthorized user to gain access to the ColdFusion administrator console (CVE-2013-1388).

    2) One of the files in the directory list that has a unique name is actually accessible on linode.com: http://www.linode.com/y_key_57284cb2de704e02.html

    3) Looks like seclists (nmap people) were targeted by this hack: http://seclists.org/nmap-dev/2013/q2/3

    4) It is not clear if credit cards were compromised or not. While this "ryan" guy claims they were, we won't know unless the list is published or Linode admits to it.

    --
    Its not what it is, its something else.
  2. Re:Nonsense by cheater512 · · Score: 2, Informative

    ColdFusion got exploited which is made by our friends at Adobe who just love riddling their products with security flaws.

  3. Re:Oh FFS by Anonymous Coward · · Score: 4, Informative

    Besides it looks like the breach was beyond their direct control and was a flaw in cold fusion.

    Except ryan_ in the chatlogs (which you obviously didn't bother to read) stated that Linode has set up their ColdFusion environment in a very insecure way. They apparently don't follow best practices. Not saying ColdFusion isn't shit, but it's still Linode's fault.

  4. Hashes aren't passwords (unless they're DES) by raymorris · · Score: 1, Informative

    Title: "credit cards and pass"
    TFS: "hashes of passwords leaked

    That's a HUGE difference. Proper hashes of proper passwords may as well be public. It'd take billions of years to crack them. Unless of course Linode is still living in 1972 and using DES hashes, which may as well be plain text.

    Linode, if you WERE using DES hashes, call me. We have some work to fo on your susyems. The people who designed your systems clearly aren't knowledgeable enough in security that they can be trusted to fix the problems they created.

  5. Capital One - not in my wallet! by dclozier · · Score: 3, Informative

    I used to think the same thing until I ended up paying for some charges I didn't make. Capital One's team of investigators concluded that the charges were my responsibility. I've been running Linux on the desktop for over 10 years now so I know it wasn't a trojan or some other malware on my end giving up the card number - it had to be an online service somewere that was hacked. I never found out who or how. I only ended up owing money for iPower Web hosting (would never in a million years use their service to start with), various gourmet coffee that was delivered to my house (ok I do like coffee but still wouldn't have ordered it online), video professor videos on using Microsoft Office (you know, if I should ever go back to Windows this may be handy???) and colon cleanser. WTF? I don't think they really did any investigating - just waited for a bit and then said it was my fault. Capital One offers no protection.