cloud-init has the ability to generate and set a randomized password for system users. This functionality is enabled at runtime by passing cloud-config data such as:
chpasswd: list: | user1:RANDOM
When used this way, cloud-init logs the raw, unhashed password to a world-readable local file.
For Debian 8 jessie, these problems have been fixed in version 0.7.6~bzr976-2+deb8u3.
We recommend that you upgrade your cloud-int packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.