Sigh, really? Ok, you typed your credit card number into a web browser at some point. If your sole reason for doing so was "I absolutely trust the people on the other end of this socket not to do what 99% of all people handling credit card data do whether they pretend otherwise or not", instead of something like "hmm that reminds me, I haven't scanned last month's statement yet", then the problem lies squarely with you, the uninformed consumer.

I will happily dismiss this breach, not because they didn't make some amateur crypto mistake, or because they weren't using freaking ColdFusion, or because they were storing data in some nice compartmentalized form, I reject because this happens every single day and has done for decades, and there is an entire sub-industry built around its after-effects. If you don't understand this you shouldn't own a credit card.

If you type a credit card number in online not expecting to recuperate any damage caused from your card company, call them up now for clarification or cancel the damn card. That's equivalent to stuffing cash in an envelope and posting it to Nigeria because some prince promises he'll keep it in a safe for you. It's 90% the reason you should be using credit cards in the first place. Think.

Linode should not be rubbished here. They've got one of the largest VPS installs around, so they most likely know their shit. They make an ultra-common CC mistake that has happened daily for almost 20 years now, by companies large and small, got pwned due to a bug in someone else's software, and you think I'm going to play along with the righteous indignation bullshit here? GTFO.

Let he without sin cast the first stone. Despite 20+ years' experience I still cannot cast that first stone. I make bullshit mistakes like this every day, and despite your grandiose delusions you probably do too.

As for whiners complaining about their data suddenly being insecure, well, data security 101: you're making the same bullshit mistake Linode are making, and despite that you're complaining about it. If you care about data security in the "cloud", hosting it on a freaking VPS is not the way to do things.

So because companies A through X are irresponsible with data, customers should regard that as acceptable and give company Y a free pass to do the same? I don't understand how a reasonable analysis of the situation can come to that conclusion.

You don't know the names of companies A through X, or supposedly safe Z for that matter. All you'll be doing is an enormous amount of work and bother to move from Y to, lets say, A, because you think you'll be more secure but unfortunately if anything its probably the other way around, its just that A hasn't been hacked... yet... so far as they know...

none of them get a free pass they all suck, but the one that just got busted is probably going to be a little more security focused in the near future.

Hmm stay at a place that just got burned, or expend lots of effort to move to a place that hasn't been burned yet...

"Because Nigerian princes A through X are irresponsible with your cash, budding lottery winners should regard that as acceptable and give Nigerian prince Y a free pass to do the same?"

Of course not, and this drives to the very core of risk management. I've signed up for some very shady online services in my time, doing so in the full knowledge that should a product or service not be rendered as advertised, I am guaranteed to be able to reverse the relevant charge. Even when I the consumer am doing something shady (in a case last month, attempting to import goods I knew weren't certified for the EU), the system still works for me. This is the sole reason I use a credit card rather than, say, my current account's Visa number.

It's not even about assessing the risk of whether or not you're going to get ripped off, but whether or not a particular company will cause you the inconvenience of the aforementioned phone calls.

If you work on the assumption that you card data is safe, you quite simply aren't safe enough to be in possession of a computer or card. Credit cards aren't built on that assumption, instead their entire motivation is based on risk profiling both the consumer and merchant, and terminating agreements when various thresholds are reached. In return the industry guarantees that in the minority of cases where things go wrong for the consumer, the problem can be corrected swiftly.

It's understandably upsetting that their customer database might have leaked, and I can genuinely understand peoples' concern over that. But as 4chan has taught us, there are very few people left in the west whose address and telephone number aren't available within even an hour's Googling.

As for locating confidential data on machines shared with other customers and managed by a piece of unaudited software, I have no sympathy for that. That's the price of a VPS, and why it's so heavily discounted compared to real hardware.

> If your sole reason for doing so was "I absolutely trust the people on the other end of this socket not to do what 99% of all people handling credit card data do whether they pretend otherwise or not", instead of something like "hmm that reminds me, I haven't scanned last month's statement yet", then the problem lies squarely with you, the uninformed consumer.

If your expectation when taking credit card numbers was "I'm confident in my abilities to keep this information safe, and if I get hacked I expect my customers not to move to another service and never, ever touch mine with a ten foot pole", then the problem lies squarely with you, the uninformed business.