Linode Security Breach

By | September 22, 2016

FYI, for my fellow computer geeks…

It appears that my Linode account was compromised some time between August 1 and September 1, 2016.

I tried to log into Linode Manager tonight and it would not accept my password. Upon discovering this, I went back and looked at my Sep. 1 invoice to see if there were any suspicious charges, and I discovered that it was sent to another email address in addition to mine, and the other address it was sent to is one I’ve never heard of.

Note that my account was protected by a long, random, strong, unique password AND two-factor authentication. However my account was breached, it most assuredly was not because of a weak password or otherwise my fault.

I am communicating with Linode to try to regain control over my account and squeeze as much information as I can out of them about how my account was breached.

If you use Linode or know anyone who does, please warn them to check their most recent invoice to see if anything looks suspicious. They may also want to make sure they can log into their Linode Manager account, and change their password and enable 2FA if it isn’t already enabled.

This may be an isolated breach, e.g., someone may have social-engineered access from Linode to just my account or to a small number of accounts, or it may be something much larger. I will post in the comments any additional information I get from Linode.

Please share.

Print Friendly, PDF & Email

2 thoughts on “Linode Security Breach

  1. jik Post author

    Linode says:

    We do not record audio of our phone calls but our records show that the caller successfully authenticated in accordance with our policies. In order to locate a specific customer account, we perform a search of our database for the encrypted last 6 digits of the payment card provided. We do not keep specific record of the piece of identifying information provided when customers call in to authenticate to their account.

    With that said, so that we can better track social engineering attempts like this, we’ve implemented a policy change today to require that a record of that additional piece of information is kept when customers are authenticated via telephone.

    Given that the party in question made an email address that looked quite similar to yours, was able to provide your payment information and seemed to know you had a Linode account, it is not surprising they were able to authenticate to the account. While we do have policies in place to prevent social engineering, it’s difficult for us to do so when a caller has the payment and personal information of the account holder.

    At minimum, your credit card would appear to be compromised. Given your web presence, it’s possible the other personal information was simply gleaned from resources available online, but the last 6 digits of a payment card would generally require some level of access to the card. I would highly recommend contacting your bank and reporting the card as compromised.

    We do not currently have a system in place that sends an alert to the old email on file when an email address change is performed, however, we’re looking into implementing a change to our system so that email address changes do not occur without an alert to the previous address.

    In light of these events, we would highly recommend setting up a spoken passphrase for your account to thwart any future social engineering attempts, along with the changes we’re working toward on our end.

  2. jik Post author

    Update: On August 19, someone called Linode on the phone and asked for the email address on my account to be changed. Linode’s policy is to require callers to provide the last six digits of the credit card number on file and another piece of identifying information to authenticate themselves. Linode is being cagey with me about whether that policy was correctly followed in this case. I am attempting to get an explicit answer, since it means the difference between my being unable to trust Linode to follow their own security policies, and my needing to change my credit-card number and all the automated payments associated with it since someone has gotten their hands on it.

    Fortunately, although the caller was able to convince Linode to add a new email address to the account, and the caller was able to subsequently do a password reset on the account, they were not able to actually log in because they couldn’t get past the two-factor authentication prompt. Two-factor authentication for the win!

    (Should password resets require 2FA?)

    The IP address from which the attacker attempted to log in is supposedly located in Germany.


Leave a Reply

Your email address will not be published. Required fields are marked *