updated 07:19 pm EDT, Wed June 18, 2014
Hosting company returning what data it has, left financially crippled by attack
What started as a denial-of-service-attack (DDOS) has resulted in critical loss of data for code-hosting company Code Spaces yesterday. Code Spaces has decided to throw in the towel when someone deleted the majority of customer data after gaining access to the company's Amazon Web Services (AWS) account. The company, which was left compromised and unable to restore data, made the decision to completely shut down.
Code Spaces had previously offered hosting services that were noted as being a source of security whenever a catastrophic event occurred. The company claimed to be host of over 200 companies for "rock solid, redundant and highly available" code hosting and project management. Uptime was said to be guaranteed at 99 percent, with data centers on three continents.
The ordeal initially began with a DDOS, but was later found out to be to someone extorting the company. Cloud Secure found that an attacker -- who the company believes is neither a current or former employee -- then left messages in the Amazon EC2 control panel to be contacted. Realizing that someone had access, employees sprung to action while contacting the person at the Hotmail address.
While researching how its system could be accessed, Cloud Secure ruled out machine access, since the attacker didn't have the private keys. Attempts were made to regain the control panel, only to find that the attacker had created backup logins. Once the attacker found out that control was being wrested away, he or she began deleting random items, according to Cloud Secure.
A large swath of data was a the casualty, as the unknown intruder permanently destroyed Apache Subversion repositories, some of Amazon's Elastic Block Store (EBS) volumes, all EBS snapshots, S3 buckets and several machine instances. The result was that Code Spaces wasn't able to live up to its hosting and backup promises.
Control was eventually restored to the team at Code Spaces, but the damage had already been done. In the company's statement, no mention is made of the backup copies at "multiple offsite locations" the company claims are made with every data change.
"Code Spaces will not be able to operate beyond this point," said a note on the company's website. "The cost of resolving this issue to date, and the expected cost of refunding customers who have been left without the service they paid for, will put Code Spaces in an irreversible position both financially and in terms of ongoing credibility."
The message was available for a short time until the company's website was pulled offline. A cached copy is still available from Google.
In the course of 12 hours, Cloud Spaces went from a company that dealt with common DDOS attacks and offered backup confidence to being completely ruined. Cloud Spaces management is now sifting through the remaining data and working with customers to export what remains.
"All that we can say at this point is how sorry we are to both our customers and to the people who make a living at Code Spaces for the chain of events that led us here."