linode被爆客户信用卡资料被黑客窃取
前几天莫名其妙的账户被多扣了20美金,应该是linode被爆客户信用卡资料被黑客窃取的前兆,linode的支付方式只支持信用卡,被多数国人诟病。为啥不支持Paypal呢,为啥不支持支付宝呢?经过此次黑客窃取linode客户信用卡资料事件,我想linode应该有所动作了。不过看看如下的linode官方博客声明,大意是客户的信用卡资料是存储在数据库中的,但是以公钥,私钥加密。平时大家在linode管理后台看到的卡号末尾4位,是便于核对和查找支付记录的。目前没有证据表明,客户的信用卡资料被窃取,但是安全起见,建议大家关闭境外支付,或者更新换卡。
Yesterday, a group named HTP claimed responsibility for accessing Linode Manager web servers, we believe by exploiting a previously unknown zero-day vulnerability in Adobe’s ColdFusion application server. The vulnerabilities have only recently been addressed in Adobe’s APSB13-10 hotfix (CVE-2013-1387 and CVE-2013-1388) which was released less than a week ago.
As a result of the vulnerability, this group gained access to a web server, parts of our source code, and ultimately, our database. We have been working around the clock since discovering this vulnerability. Our investigation reveals that this group did not have access to any other component of the Linode infrastructure, including access to the host machines or any other server or service that runs our infrastructure.
Credit card numbers in our database are stored in encrypted format, using public and private key encryption. The private key is itself encrypted with passphrase encryption and the complex passphrase is not stored electronically. Along with the encrypted credit card, the last four digits are stored in clear text to assist in lookups and for display on things like your Account tab and payment receipt emails. We have no evidence decrypted credit card numbers were obtained.
Linode Manager user passwords are not stored in our database, but their salted and cryptographically hashed representations are. Despite the uselessness of these hashes, as you know we expired Linode Manager passwords on Friday.
There were occurrences of Lish passwords in clear text in our database. We have corrected this issue and have invalidated all affected Lish passwords effective immediately. If you need access to the Lish console, you can reset a new Lish password under the Remote Access sub-tab of your Linode.
For users who have set an API key, we’re also taking action to expire those keys. We’ll be emailing API-enabled users with that information.
We take your trust and confidence in us very seriously, and we truly apologize for the inconvenience that these individuals caused. Our entire team has been affected by this, leaving all of us, like you, feeling violated. We care deeply about the integrity of Linode and are proud of the work that we accomplish here for you. This unfortunate incident has only strengthened our commitment to you, our customer.
最新评论