Cloud host Linode resets user passwords after suspected hack

Virtual private hosting firm Linode is having a rough start to the year.

The Galloway, New Jersey-based company said Tuesday that it has reset the passwords of its entire user base, after suspecting a data breach.

In a statement on its status blog, that the company had found two Linode user credentials on an “external machine,” implying that usernames and passwords “could have been read from our database, either offline or on, at some point.”

The database includes usernames, email addresses, and securely hashed passwords and encrypted two-factor seeds, but no further details were given.

The company touts Creative Commons, satirical news site The Onion, and weather app Dark Sky as customers.

Linode said it did not know who was behind attacks on its systems, but it had “not been contacted by anyone taking accountability or making demands.”

The message on its status page came just a few hours after a massive distributed denial-of-service (DDoS) attack against its systems on Sunday. Linode said it was caused by a “bad actor” who purchased a large amount of botnet capacity. Following the announcement, a separate posting confirmed confirmed its blog was experiencing a denial-of-service attack.

But Linode said it was not sure if the recent attacks on its systems were related.

Users will be prompted to change their passwords when they next login, which will “invalidate” the old credentials.

The company, founded in 2003, underwent a similar password reset two years ago following a “coordinated attempt to access one of our customers,” it said in an email to its users. It was said that a hacker group was able to exploit a flaw in ColdFusion, allowing unauthorized access to the Linode manager domain.

Some users were quick to criticize the company, which at the time of writing had not emailed customers with the details that were posted to the status page.

“If an attacker had my old, leaked password they could have just gone through the reset process for my account themselves,” said one customer, who added that he found out from the news-sharing site Reddit.

We’ve reached out to Linode for more details, and will update this piece if we hear back.