Warning to AWS users.

[Izumi]

All,

I wanted to reach out to the community for some feedback and share my experience on AWS.  Recently, I discovered that my AWS Free Tier learning account was compromised.  Received an email that there was suspicious activity on my account, which I hadn't utilized in several months.  After observing a second and third similar email, rather than click on any links, I wanted to ensure the emails were legit and logged into my account.  Little to my surprise, did I see that not only were there some new users created, but someone created over 2,533 Endpoints across every single regional zone they offer (26 geographical regions across six continents).  There was a variety of servers and instances setup which as far as I could tell was simply performing some API calls across the asian pacific and into the 'Stans.

Long story short, I was billed a miniscule $491,233 over the 4th of July weekend.  Fucking chump change, right?  Pretty certain I had a couple heart attacks.  If I didn't have kids, I'd probably have spread my brains on my favorite wall - I'm fond of the southern facing wall with the fireplace in my great room.  Some tissue might add a nice touch...

I'll say of AWS Support; It is absolutely horrible.  They claim due to security reasons, they do not have a phone number to reach out to any departments and you need to open a Case with them and request a callback.  Imagine attempting to do this on a holiday weekend in the states.  3 Customer Support reps have reached out to me on ways I can secure my account.  None of them have last names or contact numbers and they refuse to call any number I provide.  Instead of offering actual support, they list the many ways to remove the data created by the attacker.  At this point, I can then request that they stop the bleeding from the account accruing charges.

Luckily, I've been able to locate and restrict the attacker's access to the AWS account to the best of my ability, removing credentials and their scripts that were placed into the account.  Now, I have to put on some tunes and delete, one at a time, the 2,533 Endpoints which made over 1 million API calls in just 5 days since the account appeared to have been breached.

My wife found a lot of people in similar situations of their accounts being compromised and none seem to end well.  Anyway, passing along my horror story and just know that multi-factor authentication and complex passwords (random generated ones of 32 characters or more) using AWS isn't enough.  Lock your shit down with certs and rotate your creds frequently... or better yet, stay the hell away from AWS.  Then again, if my account was compromised due to a security exploit on the AWS-side, there will be blood.  I mean, a series of strongly-worded letters from lawyers.

If anyone has some advice in working with AWS or getting thru to a live person or suggestions on any specific lawyers or government offices I should contact I'm all ears.... I've reached out to the Ohio Attorney General's Office, the FBI and IC3 to file complaints and began a BBB filing against AWS.

Best,

Izumi

[timinator]

Dude that sucks big time.  That happened to me once about 12 years ago and luckily they had just backed up my info a few hours before so they scrubbed the data and reloaded it after I had changed my credentials.

I don't remember much other than it was a pain in the @ss. Hope they get it straightened out for you.

[Hoth]

Let me know how this cluster f$%% progresses. I will let you know if I run across any new known or unknown exploits. Interesting such a big player has non existent suck ass support. 

[WeednFeed]

Sorry for your Sh!t show!

This May be a stupid question. What is AWS? Amazon web service? 
 

[KaptCrunch]

Weed 

yes it is. now you know how Jeff got rich same as Bill.

for over holiday was stripped of steam data 2 Tb after loading a game, system trashed a drive on a update.

  Isumi i feel for you, reminds me of a australian home security company charge d stealing a property in the 80's, can't find that story but found this

so many people who put thier info on a computer is a target without some kind of digital  security encryption algorithms.

you don't have to die for you to inherit something?  Money  root of all evil.  Isumi life is more important than money like scheming Covid . 

[Izumi]

Thanks guys.  Fortunately, they had an expired card linked to the account and they're unable to retrieve any funds.  They'll have to venture into the collection route in which case I'm hoping to have a few folks in my corner to fight with me.  My open IC3 and FBI case numbers seemed to get their attention pretty quickly which was just odd behavior for an organization of that magnitude.

If anyone is ever in this predicament, AWS wants the account holder to perform cleanup and "secure the account" themselves based off of an action item list they send you, so they can then.... secure the account.  Pretty scary to the say the least that they can just notify you that your account has been hijacked on their service and the leave you hanging instead of taking measures to restrict it and prevent more data charges from accruing.

Anyway, first world problem mostly resolved.  Just waiting on AWS billing team to zero out the balance, which may be a lengthy fight but I am not paying a cent... (willingly).