The only excuse for this incident is if they did have 2-factor for their admin portal (which, from the discussion, is presumably separate from manager.linode.com) and someone conducted a targeted attack on a linode employee to compromise/steal both her token (either separate or a totp oath app like googleauthenticator or similar) AND her password.
If someone went to that much effort just to steal some bitcoins, they set their sights too low. Linode must host more valuable stuff.
Yes they are free a day after the event. There are bound to be logs and with that the possibility of capture. The person or people who did this are not quite resting easy, well unless it was a foreign entity that did it... That would change things considerably.
Given the nature of how bitcoin works, however, they can easily move the money through exchanges in foreign jurisdictions, effectively laundering it. There'd be a trail, with logs, but it'd be inaccessible to investigators.
Such as? bitcoins are valuable and easy to run away with. Stolen credit card numbers are such a hassle to monetize that they can be bought with only $2 or $3 of e-currency.
Also, is this customer service portal available via a public URL? Shouldn't some sort of VPN access be required to even get on the network hosting these things?
Can additionally restrict by IP which. That is also the way Verisign protects the registry system that registrars use (as well as two factor authentication).
The title of their blog post is: "Linode Manager Security Incident" and that's exactly the name of the customer website where you can manage your instance, billing, etc.
I think someone found a way to gain access to any Linode customer account through the customer website and from there shut down the instance, changed root password and rebooted (you can do that from there).
I think it's just poorly worded - from the OP and what I've read elsewhere someone accessed the portal used for customer service employees that has access to options/all hosts.
Yes the notes in the original pastebin post kind of indicated it was an issue with a "customer support" control panel, maybe it's just another method or area using the Linode Manager.
I just wish they posted a little more, it feels vague.