Wow, that some major root level compromise at linode. It's interesting how quiet they kept these things in those days.

Linode reported it the same day:

Manager Security Incident

Ensuring the security of our platform is our top priority. We maintain a strong security policy and aim to communicate openly should it ever be compromised. Thus, we are posting to describe a recent incident affecting the Linode Manager.

Here are the facts:

This morning, an intruder accessed a web-based Linode customer service portal. Suspicious events prompted an immediate investigation and the compromised credentials used by this intruder were then restricted. All activity via the web portal is logged, and an exhaustive audit has provided the following:

All activity by the intruder was limited to a total of eight customers, all of which had references to "bitcoin". The intruder proceeded to compromise those Linode Manager accounts, with the apparent goal of finding and transferring any bitcoins. Those customers affected have been notified. If you have not received a notification then your account is unaffected. Again, only eight accounts were affected.

The portal does not have access to credit card information or Linode Manager user passwords. Only those eight accounts were viewed or manipulated -- no other accounts were viewed or accessed.

Security is our number one priority and has been for over eight years. We depend on and value the trust our customers have placed in us. Now, more than ever, we remain committed to ensuring the safety and security of our customers' accounts, and will be reviewing our policies and procedures to prevent this from ever recurring.

---

I won't argue Linode is blameless here, but seems like the only reason it had such an outsized impact was because the 8 customers who were targeted evidently didn't do much to protect their assets from someone gaining unauthorized access to their servers--which is always a possibility with any publicly exposed server with or without a breach of the service provider being involved.

Hi. This is my comment you keep linking to. Your understanding of what happened is flawed. I do not have signs that Linode was rooted in that compromise. The signals I do have is that they had their database compromised, and likely secret key material. That allowed attackers to crack the hashes offline, and then authenticate using MFA.

IMO, it's plain wrong to categorize that one as "getting full root control plane", where it was instead the compromising of individual accounts that may have had no access to the resources on an account.

One of the many reasons every country needs more serious, standard, and mandatory public disclosure laws for cloud infrastructure breaches.

Looking from the end user end it seems nice, but will soon be weaponized in all possible mannar, sloppily executed, and too much data to ingest.

For reference there is mandatory disclosure of (serious) data breaches in the GPDR and it's very uncommon that the disclosure actually occurs.

Target should have had difficulty surviving as a company as a result of penalties-if-not-prison for their 2013 breach, but we see what happened there.

That’s a little over the top, eh? They disclosed within 4 days of discovery and implemented better security controls all over. They are probably the only major retailer with chip and pin payments in the US, for example.

If you think they were unique or egregious in terms of 3rd party access to networks, i am afraid that you will find reality disappointing.

I will say I was pleasantly surprised to discover that their store credit card comes without a magstripe on the back

Should that same existential penalty be applied to every company who had Log4J running in prod a few months back? That was a much more widespread root compromise...

Not comparable. Log4j was a vulnerability in the software, not leaving their shit open and and putting all their cash registers on an intranet available to the internet.

https://krebsonsecurity.com/2015/09/inside-target-corp-days-...

Vulnerability != Compromise

There is no lower bound for reportable personal data breaches:

https://gdpr-info.eu/art-33-gdpr/

The one thing I don't understand is if that many coins were stolen and every transaction is traceable shouldn't there be a trail? The owner has 124 million reasons to find those coins. Is the ability to track past transactions not as possible as it seems?

You can track, but large amounts merge with small and disperse as they hit brokers etc. If your claim to someone is that their BTC is 0.01% stolen, it's not so strong. Faster you act, more you can do

That makes it a little over $12,000 at the time. Which is likely why there was no big hubbub about it.

somebody please explain to me how is it possible that the owner reports losing $124 million, then they casually mention in the reply that: no problem, I'll just cover it with my own money ...

(another recent story on ether hack had the same "resolution" the organization just chose to replaced the losses) ...

where is that money coming from? does not seem real

That’s what it would be worth now. Was worth like 1/10000th of that back then. They probably covered it with their previously earned holdings that could have been another fraction of that.

The 3,094 BTC stolen happened in 2012. The price of BTC in March of 2012 was ~$3-5 USD, so ~$15,500K on the high end and ~$9,300 on the low end.

I imagine they repaid the value of the bitcoins at the time, which would have been a lot less