Linode has a super bad reputation on security.
I think this Glassdoor review sums it up pretty well:
Linode has been hacked at least 5 times¹ in the past decade, and EVERY TIME they try their hardest to downplay the incident and distract attention from it. Avoiding any public communications at all if possible.
I've been with them since 2009. I know the current recommendation from security-focused people is not to use them, due to their mishandling of past events.
Obligatory Linode warning. Linode has a history of putting their customers in very uncomfortable situations.
Here's a few HN threads on the previous disasters:
https://news.ycombinator.com/item?id=3654110 Compromised Linode, thousands of BitCoins stolen (2012)
https://news.ycombinator.com/item?id=3655137 Linode Manager Security Incident (2012)
https://news.ycombinator.com/item?id=5552756 Linode hacked, CCs and passwords leaked (2013)
https://news.ycombinator.com/item?id=7086921 An old system and a SWAT team (2014)
https://news.ycombinator.com/item?id=10825425 Linode DDoS continues – Atlanta down for 16+ hours (2016)
https://news.ycombinator.com/item?id=10998661 The Twelve Days of Crisis – A Retrospective on Linode’s Holiday DDoS Attacks (2016)
https://news.ycombinator.com/item?id=10845170 Security Notification and Linode Manager Password Reset (2016)
https://news.ycombinator.com/item?id=10806686 Linode is suffering on-going DDoS attacks (2016)
Around November in 2015 the IRC network I host was hacked due to a breach Linode had already been informed of (https://news.ycombinator.com/item?id=10845985) - I had a completely unique username, password, and I even had 2FA enabled. Linode support refused to work with me, advising me to "secure my 2fa device better next time". Longevity of a company like Linode clearly isn't indicative of good business practices, only that they are the cheapest option.
This is the meat of the PagerDuty complaint
We also have evidence from access logs provided by Linode that the attackers tried to authenticate as an ex-employee, whose username ONLY existed in the Linode database. It was absolutely unique and was not used elsewhere by the employee making the username an accidental honeypot. This was another piece of data supporting that Linode was the source of our compromise.
We immediately reached out to them not only to inform them of their compromise, but to assist them in investigating it. We were confident that the Linode database had been breached, and that the secret key used to encrypt information in the database had been compromised as well.
In addition to reaching out to Linode, we also worked with a third-party security firm to audit our work done during the incident. Likewise, around the same time we reached out to law enforcement to assist in investigating the attack. I believe our public disclosure includes this information. This was in the middle of July 2015.
We did not get confirmation in July that there was a breach of the Linode Manager or any associated credentials.
In the end, we migrated away from Linode because of this breach (even before it was publicly disclosed) in Aug 2015. We also never were able to confidently disclose that Linode was the vector due to lack of confirmation from their end. While all of us who responded to the incident were confident they were the source, we now thankfully have the data to confirm it.
It's probably a pain to switch, but definitely don't pick Linode if you are starting out.