←back to thread

Ask HN: Our AWS account got compromised after their outage

391 points kinj28 | 8 comments | 21 Oct 25 15:55 UTC | HN request time: 0.686s | source | bottom

Could there be any link between the two events?

Here is what happened:

Some 600 instances were spawned within 3 hours before AWS flagged it off and sent us a health event. There were numerous domains verified and we could see SES quota increase request was made.

We are still investigating the vulnerability at our end. our initial suspect list has 2 suspects. api key or console access where MFA wasn’t enabled.

1. CaptainOfCoit ◴[21 Oct 25 18:09 UTC] No.45659367[source]
Is it possible that people who already managed to get access (that they confirmed) has been waiting for any hiccups in AWS infrastructure in order to hide among the chaos when it happens? So maybe the access token was exposed weeks/months ago, but instead of going ahead directly, idle until there is something big going on.

Certainly feels like an strategy I'd explore if I was on that side of the aisle.

replies(3): >>45660189 #>>45660584 #>>45662828 #
2. jinen83 ◴[21 Oct 25 19:06 UTC] No.45660189[source]
I am from the same team & i can concur with what you are saying. I did see a warning about the same key that was used in todays exploit about 2 years ago from some random person in an email. but there was no exploutation till yesterday.
replies(1): >>45663776 #
3. iainctduncan ◴[21 Oct 25 19:34 UTC] No.45660584[source]
Absolutely. I'm in diligence and we are hearing about attackers even laying the ground work and then waiting for company sales. The sophisticated ones are for sure smart enough to take advantage of this kind of thing and to even be prepping in advance and waiting for golden opportunities.
4. shadowpho ◴[21 Oct 25 23:00 UTC] No.45662828[source]
Wouldn’t this be a terrible time because everyone is looking/logging into AWS?

If my company used AWS I would be hyper aware about anything that it’s doing right now

replies(3): >>45663738 #>>45670051 #>>45671945 #
5. LorenPechtel ◴[22 Oct 25 00:53 UTC] No.45663738[source]
I think the idea is that after an outage you would expect unusual patterns and thus not be sensitive to them.
6. LeonardoTolstoy ◴[22 Oct 25 00:59 UTC] No.45663776[source]
This is it. I had the same thing happen to me a year ago and there was a month between the original access to our system and the attack. And similarly they waited until a perceived lull in what might be org diligence (just prior to thanksgiving) to attack.
7. CaptainOfCoit ◴[22 Oct 25 14:53 UTC] No.45670051[source]
> Wouldn’t this be a terrible time because everyone is looking/logging into AWS?

Yes and no I suppose, it has trade-offs. On one hand, what you're saying is true for sure. But on the other hand, if you're currently trying to rescue a failing service, come across something that looks weird and you have a hunch you should investigate, but you're in the middle of fire-fighting, maybe you're more likely to ignore it at least until the fires been put out?

8. djeastm ◴[22 Oct 25 16:55 UTC] No.45671945[source]
Might be, but also could be the opposite. With peoples' heads swimming just to get back online they might de-prioritize something else that just looks odd where under normal times they'd have the time/energy to go investigate.