FYI, for my fellow computer geeks…
It appears that my Linode account was compromised some time between August 1 and September 1, 2016.
I tried to log into Linode Manager tonight and it would not accept my password. Upon discovering this, I went back and looked at my Sep. 1 invoice to see if there were any suspicious charges, and I discovered that it was sent to another email address in addition to mine, and the other address it was sent to is one I’ve never heard of.
Note that my account was protected by a long, random, strong, unique password AND two-factor authentication. However my account was breached, it most assuredly was not because of a weak password or otherwise my fault.
I am communicating with Linode to try to regain control over my account and squeeze as much information as I can out of them about how my account was breached.
If you use Linode or know anyone who does, please warn them to check their most recent invoice to see if anything looks suspicious. They may also want to make sure they can log into their Linode Manager account, and change their password and enable 2FA if it isn’t already enabled.
This may be an isolated breach, e.g., someone may have social-engineered access from Linode to just my account or to a small number of accounts, or it may be something much larger. I will post in the comments any additional information I get from Linode.