- Customer data is safe.
The compromised server was entirely dedicated to holding our bitcoin "hot wallet" only. Thankfully, this function is the only- one ever hosted at Linode. No customer data has ever been hosted at Linode. Also, there is no privileged access from the affected server. This means that no passwords, account activity, or any other customer data has been exposed by this incident.
I just noticed that the Bitcoinica login page appears to have no lost/forgot password functionality, that the only way to change your password is to successfully login and change it from the admin account. Might I suggest adding this feature?
The reason is that if Bitcoinica is ever cracked and the pwd database stolen, the thieves could run a script that changes all the passwords, as the Mt. Gox hackers did last summer. I, having stupidly used the same login credentials as my Facebook and Twitter accounts, lost both those social media accounts in addition to my Mt.Gox one.
It was only because they had password reset functionality publicly exposed on the login page that I was able to quickly send myself a pwd reset email and get them back before they also changed my account email address or any other harm was done.
But as it is, if such an attack ever succeeds on Bitcoinica, the account is gone, no way for the user to quickly recover it.