So I switched to Digital Ocean after the last Linode security fiasco and I can't say I regret it.
Should you decide to switch to another VPS provider I strongly recommend you cite the security problems when they ask you why you're closing your account. The only reliable way to get the security message across to technical managers and business people alike is to make it about money. That said the fact that this has happened, in this way, again to Linode is a very bad sign.
Having been in meetings, advocated for taking security seriously, and heard the rationalizations for a lax approach I can only say that as a customer if your desire for security isn't made crystal clear you have no hope of getting it. It has to be a deal breaker or not only will companies like Linode not learn, but their competitors who stand to gain from their loss won't either.
Likewise, though my specific concerns were around a suspiciously large volume of inbound traffic that appeared to be maliciously probing for open services, and in particular a lack of any sort of upstream mitigation (to paraphrase their response, "can't help you, try Cloudflare".
Of course, Digital Ocean has had its own problems lately with not properly scrubbing decommissioned VPS containers... so to some degree, data security is not a Linode specific problem. And for that matter it is not just because someone is recycling passwords (bad), but because it is by nature one of the most fundamental and pervasive security challenges with any VPS hosting. Your AWS node might be perfectly secure, but it might be sharing a physical rack with a Russian botnet and you'd have no way to know.
Bottom line, if you are using a shared environment there is always some risk of having bad neighbors, experiencing disruption at the supervisory layer or of your data bleeding over into an untrusted location. Your application security design should be planned accordingly, and the choice of VPS host is only one part of that equation.
what really made me move away from linode is really their inability to accept paypal.
Luckily, digitalocean accepted paypal. Also their $5 servers cannot be beat.
Sure, linode has some good panels but it was more than I can chew and more than I needed. Digitalocean also had a good amount of docmentation to do everything I needed without filing a ticket.
A lot of merchants (e.g. Amazon) don't use PayPal because is isn't a real bank, and so isn't beholden by laws associated with banks. The terms of service state that you cannot seek any legal recourse from them should your account be shut down.
How could this affect a VPS provider? Say a customer hosts a porn site, or a gun-selling site, or something else PayPal disagrees with. PayPal shuts the merchant's account down for it. Now the merchant's funds are frozen for an indeterminate amount of time till the issue can be resolved, if at all, and there's nothing they can do about it short of appealing to PayPal.
These things are happening often enough for them to be a competitive strategy between rival VPS hosting companies.
(I happen to have servers hosted at Linode, Digital Ocean and a local provider, and always find it amusing to tally the amount of "happy customers" that pop up in comment threads like this)
I've looked through this. It looks to be a sanitized version of their database with very old information. The reason I say sanitized because there look to be little or no credit cards there, and the only ones that look like CC numbers are '4111111111111111'.
My guess is that this is an old development DB that was left on a server that may have been forgotten about.
The account submitting this story was created six days ago, and this is their only activity on HN so far. The credentials mentioned are old and the data in the claimed dump is from 2009. So far this seem highly implausible.
Linode publishes logs of their IRC channel at https://www.linode.com/irc/logs/,
but it's currently returning "504 Gateway Time-out". Does anyone know
offhand if that URL had previously been broken, or if Linode has taken the logs
offline following the attack?
Should you decide to switch to another VPS provider I strongly recommend you cite the security problems when they ask you why you're closing your account. The only reliable way to get the security message across to technical managers and business people alike is to make it about money. That said the fact that this has happened, in this way, again to Linode is a very bad sign.
Having been in meetings, advocated for taking security seriously, and heard the rationalizations for a lax approach I can only say that as a customer if your desire for security isn't made crystal clear you have no hope of getting it. It has to be a deal breaker or not only will companies like Linode not learn, but their competitors who stand to gain from their loss won't either.
<gallaeaho> zectorpt: no
<gallaeaho> zectorpt: nothing was "hacked", but old stuff got posted
<gallaeaho> again
Of course, Digital Ocean has had its own problems lately with not properly scrubbing decommissioned VPS containers... so to some degree, data security is not a Linode specific problem. And for that matter it is not just because someone is recycling passwords (bad), but because it is by nature one of the most fundamental and pervasive security challenges with any VPS hosting. Your AWS node might be perfectly secure, but it might be sharing a physical rack with a Russian botnet and you'd have no way to know.
Bottom line, if you are using a shared environment there is always some risk of having bad neighbors, experiencing disruption at the supervisory layer or of your data bleeding over into an untrusted location. Your application security design should be planned accordingly, and the choice of VPS host is only one part of that equation.
what really made me move away from linode is really their inability to accept paypal.
Luckily, digitalocean accepted paypal. Also their $5 servers cannot be beat.
Sure, linode has some good panels but it was more than I can chew and more than I needed. Digitalocean also had a good amount of docmentation to do everything I needed without filing a ticket.
How could this affect a VPS provider? Say a customer hosts a porn site, or a gun-selling site, or something else PayPal disagrees with. PayPal shuts the merchant's account down for it. Now the merchant's funds are frozen for an indeterminate amount of time till the issue can be resolved, if at all, and there's nothing they can do about it short of appealing to PayPal.
Dead Comment
Something doesn't add up here. Surely Linode can't be that careless.
These things are happening often enough for them to be a competitive strategy between rival VPS hosting companies.
(I happen to have servers hosted at Linode, Digital Ocean and a local provider, and always find it amusing to tally the amount of "happy customers" that pop up in comment threads like this)
Update: I've gathered from chats on IRC here and there that this is a legitimate concern.
Also: curl http://ra.pe/linode2.sql | grep --only-matching -E ".{8}your credit card number.{8}"
My guess is that this is an old development DB that was left on a server that may have been forgotten about.
Seems to have some logs of the linode channel today.