According to the notice on the service's website, the DDoS attack started on Tuesday. The company then noticed that a number of messages were left by the attacker on their Amazon EC2 control panel, meaning that he or she had access to it.
The identity of the attacker is still unknown, as well as how he or she was able to access the control panel. The service says that they have "no reason to think its anyone who is or was employed with Code Spaces."
The initial internal investigation revealed that no machine access had been achieved by the attacker. Not wanting to pay the large fee requested by the attacker to stop the DDoS attack, they attempted to regain control of the panel by changing passwords.
Unfortunately for them, the intruder was prepared for that attempt, and had already created a number of backup logins. He retaliated by proceeding to randomly delete artifacts from the panel.
"We finally managed to get our panel access back but not before he had removed all EBS snapshots, S3 buckets, all AMI's, some EBS instances and several machine instances," they shared. "In summary, most of our data, backups, machine configurations and offsite backups were either partially or completely deleted."
"Code Spaces will not be able to operate beyond this point, the cost of resolving this issue to date and the expected cost of refunding customers who have been left without the service they paid for will put Code Spaces in a irreversible position both financially and in terms of on going credibility," they explained. "As such at this point in time we have no alternative but to cease trading and concentrate on supporting our affected customers in exporting any remaining data they have left with us."
"All that we can say at this point is how sorry we are to both our customers and to the people who make a living at Code Spaces for the chain of events that lead us here," they concluded. "We hope that one day we will be able to and reinstate the service and credibility that Code Spaces once had!"
Users across the web are commenting on the fact that the company promised regular, off-site backups, but failed to mention that those backups were accessible via the AWS control panel. Also, it seems obvious that they haven't used multi-factor authentication to secure the AWS account, even though the option is there.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.