←back to thread

Ask HN: Our AWS account got compromised after their outage

391 points kinj28 | 2 comments | 21 Oct 25 15:55 UTC | HN request time: 0.001s | source

Could there be any link between the two events?

Here is what happened:

Some 600 instances were spawned within 3 hours before AWS flagged it off and sent us a health event. There were numerous domains verified and we could see SES quota increase request was made.

We are still investigating the vulnerability at our end. our initial suspect list has 2 suspects. api key or console access where MFA wasn’t enabled.

Show context
sousastep ◴[21 Oct 25 16:44 UTC] No.45657982[source]
couple folks on reddit said while they were refreshing during the outage, they were briefly logged in as a whole different user
replies(6): >>45658079 #>>45658884 #>>45659047 #>>45659106 #>>45659578 #>>45665172 #
afandian ◴[21 Oct 25 16:51 UTC] No.45658079[source]
Got references? This is crazy.
replies(2): >>45658716 #>>45662414 #
blast ◴[21 Oct 25 22:16 UTC] No.45662414[source]
I saw a link to https://old.reddit.com/r/webdev/comments/1obtbmg/aws_site_re... at one point but then it was deleted
replies(3): >>45662821 #>>45662923 #>>45666933 #
1. perpil ◴[21 Oct 25 23:09 UTC] No.45662923[source]
This is not about the AWS Console. It is talking about the customer's site hosted on CloudFront. It is possible to cross wires with user sessions when using CloudFront if you haven't set caching granular enough to be specific to an end user. This scenario is customer error, not AWS.
replies(1): >>45665707 #
2. fulafel ◴[22 Oct 25 06:56 UTC] No.45665707[source]
I'd argue it's a classic footgun and a flaw of CloudFront (they should at least warn about it much more).