Code Spaces, the web-based SVN and Git hosting provider, has ceased trading after revealing a devastating DDoS attack which wiped its cloudy data would cost too much to both resolve and keep the company going.
The unauthorised user gained access to the company’s EC2 control panel, created a series of backup logins and randomly deleted items to the extent where most of Code Spaces’ data had disappeared, with no backups in place. The attacker had also demanded a large sum of money to stop the DDoS, similar to Feedly’s attack earlier this month.
“Code Spaces will not be able to operate beyond this point,” the company said in a statement. “The cost of resolving this issue to date and the expected cost of refunding customers who have been left without the service they paid for will put Code Spaces in a [sic] irreversible position both financially and in terms of ongoing credibility.
“At this point in time we have no alternative but to cease trading and concentrate on supporting our affected customers in exporting any remaining data they have left with us,” it added.
Even though this may make customers a bit more scared about hosting data in the cloud, it has to be noted that Code Spaces appear very much at fault here, with no proper backup or disaster recovery plan in place which has been cruelly exposed.
Jeff Schilling, chief security officer at FireHost, says that the fault lies with both Code Spaces and its service provider.
“Code Spaces will get a lot of criticism here, and rightly so, but cloud hosting providers are not blameless. Not by a long shot,” he said. “Sometimes a hosting provider needs to save its customers from themselves and advise them on how to implement security controls.
“In my opinion, just saying ‘here are the security tools, use them if you want’ is just not enough,” he added. “Security features should always be opt-out and never opt-in, particularly given the potential consequences of a breach which, as we’ve seen from Code Spaces, can be devastating.”
Code Spaces had already suffered connectivity and downtime issues in March and September, but these were relatively minor.
The company said it was unsure as to the miscreant’s identity, only that they had “no reason” to think it was a current or ex-employee of the firm. Anyone who wants to find out more should visit here.