As a result of the vulnerability, this group gained access to a web server, parts of our source code, and ultimately, our database. … Our investigation reveals that this group did not have access to any other component of the Linode infrastructure, including access to the host machines or any other server or service that runs our infrastructure.
If you’re a Linode customer, it’s also worth reading the abridged IRC log from one of the hackers bragging about the attack to get an idea of what was taken and how. It may influence your decision whether to remain a Linode customer. I’m on the fence.
Linode claims that Manager passwords were stored as bcrypt hashes, so they should be reasonably OK, but Lish passwords and API tokens were stored in plaintext. I’ve never used Lish, but if you have, consider those passwords permanently compromised.
Credit-card info might be at risk. It was stored with public/private-key cryptography, which is very smart in theory — the customer-facing machines could encrypt the data using the public key, while only the (presumably separate) billing machines could decrypt it with the private key — except that Linode apparently kept the public and private keys together, so the hackers have both.
The only protection is the passphrase on the key. A rep from Linode says:
The passphrase is not guessable, sufficiently long and complex, not based on dictionary words, and not stored anywhere but in our heads.
It’s up to you whether you’re confident enough in the passphrase’s complexity to continue trusting any credit-card numbers you’ve used with Linode.