"which was not stored on the machine", like they should be commended ( Reminds me of exams where you received some credit for including your name... ).
I am sorry, them confirming this fact, and even if I recall adding a smiley in the tweet they did it, just cemented that they do not understand their business.
They clearly wish to give the impression that they are "secure". They need more lock icons...they are almost as effective as the racing stickers on my car!
The real problem here is that PCI certification is an absolute joke.
There should be several classes of certification, from "I want to sell a few pet rocks" to "I'm Apple with 150,000,000 credit cards on file". Right now there's basically two.
This isn't proof of anything, but a few days after this incident the CC I use for Linode got a fraudulent charge, the first such in years. I cancelled the card, so no big deal, but this makes me strongly suspect that the attacker ended up with actual card numbers, regardless of the passphrase.
