"This activity appears to have been a coordinated attempt to access the account of one of our customers. This customer is aware of this activity and we have determined its extent and impact. We have found no evidence that any Linode data of any other customer was accessed. In addition, we have found no evidence that payment information of any customer was accessed," they wrote at the time, and announced a just-in-case password reset for all its users.
On Saturday, Gordon "Fyodor" Lyon confirmed on the Nmap Development mailing list that after gaining access to Linode's networks, the attackers first perused a list of the highest traffic websites hosted by the provider, then opted to target the account for operating the aforementioned four sites and services.
"Linode says the intruder messed around with our account, but left their other customers alone," he wrote, adding that the attackers managed to break into some of their virtual private server systems, but that now everything is safely back online.
According to Tuesday's incident update published by Linode, the Hack The Planet hacker group has claimed responsibility for the breach of the provider's web servers, which allowed them to glean some of its source code and the Linode's databases.
"Our investigation reveals that this group did not have access to any other component of the Linode infrastructure, including access to the host machines or any other server or service that runs our infrastructure," they wrote.
"Credit card numbers in our database are stored in encrypted format, using public and private key encryption. The private key is itself encrypted with passphrase encryption and the complex passphrase is not stored electronically. Along with the encrypted credit card, the last four digits are stored in clear text to assist in lookups and for display on things like your Account tab and payment receipt emails. We have no evidence decrypted credit card numbers were obtained."
Even the passwords that the Linode team forced a reset of were hashed and salted.
The attackers managed to pull off the attack successfully by exploiting a vulnerability in Adobe’s ColdFusion application server, a patch for which has been pushed out by Adobe a week ago.
According to Softpedia, the group has announced the public release of the data they managed to steal following the breach.