391 points kinj28 | 1 comments | 21 Oct 25 15:55 UTC | HN request time: 0s | source

Could there be any link between the two events?

Here is what happened:

Some 600 instances were spawned within 3 hours before AWS flagged it off and sent us a health event. There were numerous domains verified and we could see SES quota increase request was made.

We are still investigating the vulnerability at our end. our initial suspect list has 2 suspects. api key or console access where MFA wasn’t enabled.

Show context

CaptainOfCoit ◴[21 Oct 25 18:09 UTC] No.45659367[source]▶

>>45657345 (OP) #

Is it possible that people who already managed to get access (that they confirmed) has been waiting for any hiccups in AWS infrastructure in order to hide among the chaos when it happens? So maybe the access token was exposed weeks/months ago, but instead of going ahead directly, idle until there is something big going on.

Certainly feels like an strategy I'd explore if I was on that side of the aisle.

replies(3): >>45660189 #>>45660584 #>>45662828 #

shadowpho ◴[21 Oct 25 23:00 UTC] No.45662828[source]▶

>>45659367 #

Wouldn’t this be a terrible time because everyone is looking/logging into AWS?

If my company used AWS I would be hyper aware about anything that it’s doing right now

replies(3): >>45663738 #>>45670051 #>>45671945 #

1. LorenPechtel ◴[22 Oct 25 00:53 UTC] No.45663738[source]▶

>>45662828 #

I think the idea is that after an outage you would expect unusual patterns and thus not be sensitive to them.

↑

Ask HN: Our AWS account got compromised after their outage