FYI, for my fellow computer geeks…
It appears that my Linode account was compromised some time between August 1 and September 1, 2016.
I tried to log into Linode Manager tonight and it would not accept my password. Upon discovering this, I went back and looked at my Sep. 1 invoice to see if there were any suspicious charges, and I discovered that it was sent to another email address in addition to mine, and the other address it was sent to is one I’ve never heard of.
Note that my account was protected by a long, random, strong, unique password AND two-factor authentication. However my account was breached, it most assuredly was not because of a weak password or otherwise my fault.
I am communicating with Linode to try to regain control over my account and squeeze as much information as I can out of them about how my account was breached.
If you use Linode or know anyone who does, please warn them to check their most recent invoice to see if anything looks suspicious. They may also want to make sure they can log into their Linode Manager account, and change their password and enable 2FA if it isn’t already enabled.
This may be an isolated breach, e.g., someone may have social-engineered access from Linode to just my account or to a small number of accounts, or it may be something much larger. I will post in the comments any additional information I get from Linode.
Update: On August 19, someone called Linode on the phone and asked for the email address on my account to be changed. Linode’s policy is to require callers to provide the last six digits of the credit card number on file and another piece of identifying information to authenticate themselves. Linode is being cagey with me about whether that policy was correctly followed in this case. I am attempting to get an explicit answer, since it means the difference between my being unable to trust Linode to follow their own security policies, and my needing to change my credit-card number and all the automated payments associated with it since someone has gotten their hands on it.
Fortunately, although the caller was able to convince Linode to add a new email address to the account, and the caller was able to subsequently do a password reset on the account, they were not able to actually log in because they couldn’t get past the two-factor authentication prompt. Two-factor authentication for the win!
(Should password resets require 2FA?)
The IP address from which the attacker attempted to log in is supposedly located in Germany.