A now patched zero-day Adobe ColdFusion vulnerability was used to steal source code and encrypted customer credit card numbers and passwords from US web host Linode.
The company revealed details in a blog in which it said it received two reports of fraud against affected cards, and poured cold water on rumour the private key was stored with the public key.
"As a result of the vulnerability, this group gained access to a web server, parts of our source code, and ultimately, our database," the company said.
"Our investigation reveals that this group did not have access to any other component of the Linode infrastructure, including access to the host machines or any other server or service that runs our infrastructure."
Adobe patched the vulnerability on 9 April and stated it could be exploited to impersonate an authenticated user and gain access to the ColdFusion administrator console.
Linode reset user passwords for its Linode Manager client despite that only the salts and hashes were stored in the breached database.