The new Linode lineup:
Today marks Linode’s 10 year anniversary and we’d like to start by thanking you, our customer. Thank you for your patronage, for your positive feedback, for your words of encouragement and your constructive criticism – all of which have helped make us a better company. Thank you for your word-of-mouth recommendations. The majority of our growth over the years can be attributed to happy customers telling others about Linode. We strive to constantly improve our service to you and it is very gratifying to see our efforts rewarded.
Of course none of this would be possible without our employees, past and present, whose passion, dedication, and talent continue to build our company. It wasn’t that long ago there were three Linodians remotely pouring their souls into making Linode a success. These days we regularly outgrow office and cage space. We are so proud of the jobs we have created and the lives we’ve affected. Congratulations to our entire team on 10 years!
Linode has grown phenomenally over the last 10 years, and while we are proud of our success, we are also humbled by it. We feel a tremendous obligation to deliver innovation, great support, and quality to our customers and we have no intentions of sitting on our laurels. We have exciting things planned for this year and the coming ones. We look forward to the next 10 years and thank you all for being a part of this!
Thank you for contacting us! You have encountered a bug in the 32-bit kernel that will prevent you from booting with certain allocations of the host’s RAM. You can boot your server by changing your configuration profile to use the 64-bit version. We are working on a fix to this problem and we will let you know when this problem has been resolved.
Yesterday, a group named HTP claimed responsibility for accessing Linode Manager web servers, we believe by exploiting a previously unknown zero-day vulnerability in Adobe’s ColdFusion application server. The vulnerabilities have only recently been addressed in Adobe’s APSB13-10 hotfix (CVE-2013-1387 and CVE-2013-1388) which was released less than a week ago.
As a result of the vulnerability, this group gained access to a web server, parts of our source code, and ultimately, our database. We have been working around the clock since discovering this vulnerability. Our investigation reveals that this group did not have access to any other component of the Linode infrastructure, including access to the host machines or any other server or service that runs our infrastructure.
Credit card numbers in our database are stored in encrypted format, using public and private key encryption. The private key is itself encrypted with passphrase encryption and the complex passphrase is not stored electronically. Along with the encrypted credit card, the last four digits are stored in clear text to assist in lookups and for display on things like your Account tab and payment receipt emails. We have no evidence decrypted credit card numbers were obtained.
Linode Manager user passwords are not stored in our database, but their salted and cryptographically hashed representations are. Despite the uselessness of these hashes, as you know we expired Linode Manager passwords on Friday.
There were occurrences of Lish passwords in clear text in our database. We have corrected this issue and have invalidated all affected Lish passwords effective immediately. If you need access to the Lish console, you can reset a new Lish password under the Remote Access sub-tab of your Linode.
For users who have set an API key, we’re also taking action to expire those keys. We’ll be emailing API-enabled users with that information.
We take your trust and confidence in us very seriously, and we truly apologize for the inconvenience that these individuals caused. Our entire team has been affected by this, leaving all of us, like you, feeling violated. We care deeply about the integrity of Linode and are proud of the work that we accomplish here for you. This unfortunate incident has only strengthened our commitment to you, our customer.
Dear Linode customer,
Linode administrators have discovered and blocked suspicious activity on the Linode network. This activity appears to have been a coordinated attempt to access the account of one of our customers. This customer is aware of this activity and we have determined its extent and impact. We have found no evidence that any Linode data of any other customer was accessed. In addition, we have found no evidence that payment information of any customer was accessed.
We have been advised that law enforcement officials are aware of the intrusion into this customer’s systems. We have implemented all appropriate measures to provide the maximum amount of protection to our customers. Out of an abundance of caution, however, we have decided to implement a Linode Manager password reset. In so doing, we have immediately expired all current passwords. You will be prompted to create a new password the next time that you log into the Linode Manager. We also recommend changing your LISH passwords and, if applicable, regenerating your API key.
The following represent best practices in creating new passwords:
Avoid using simple passwords based on dictionary words
Never use the same password on multiple sites or services
Never click on ‘reset password’ requests in unsolicited emails – instead go directly to the service
We apologize for the inconvenience. If you have any questions, please do not hesitate to contact our support team at [email protected]