During time of panic, that’s when people are most vulnerable to phishing attacks.
Total password reset and tell your AWS representative. They usually let it slide on good faith.
Here is what happened:
Some 600 instances were spawned within 3 hours before AWS flagged it off and sent us a health event. There were numerous domains verified and we could see SES quota increase request was made.
We are still investigating the vulnerability at our end. our initial suspect list has 2 suspects. api key or console access where MFA wasn’t enabled.