They admitted that the encrypted CC numbers were leaked, they didn't mention if the encryption keys were stored on the same machine. The alleged hacker said that the encryption keys were stored on the same machine, making the encryption useless.
Linode confirmed that the private encryption key was stored on the same machine. They've been parroting lines about the password on the private key being too strong to crack.
"which was not stored on the machine", like they should be commended ( Reminds me of exams where you received some credit for including your name... ).
I am sorry, them confirming this fact, and even if I recall adding a smiley in the tweet they did it, just cemented that they do not understand their business.
They clearly wish to give the impression that they are "secure". They need more lock icons...they are almost as effective as the racing stickers on my car!
The real problem here is that PCI certification is an absolute joke.
There should be several classes of certification, from "I want to sell a few pet rocks" to "I'm Apple with 150,000,000 credit cards on file". Right now there's basically two.
This isn't proof of anything, but a few days after this incident the CC I use for Linode got a fraudulent charge, the first such in years. I cancelled the card, so no big deal, but this makes me strongly suspect that the attacker ended up with actual card numbers, regardless of the passphrase.
