←back to thread

Ask HN: Our AWS account got compromised after their outage

391 points kinj28 | 1 comments | 21 Oct 25 15:55 UTC | HN request time: 0.2s | source

Could there be any link between the two events?

Here is what happened:

Some 600 instances were spawned within 3 hours before AWS flagged it off and sent us a health event. There were numerous domains verified and we could see SES quota increase request was made.

We are still investigating the vulnerability at our end. our initial suspect list has 2 suspects. api key or console access where MFA wasn’t enabled.

Show context
CaptainOfCoit ◴[21 Oct 25 18:09 UTC] No.45659367[source]
Is it possible that people who already managed to get access (that they confirmed) has been waiting for any hiccups in AWS infrastructure in order to hide among the chaos when it happens? So maybe the access token was exposed weeks/months ago, but instead of going ahead directly, idle until there is something big going on.

Certainly feels like an strategy I'd explore if I was on that side of the aisle.

replies(3): >>45660189 #>>45660584 #>>45662828 #
jinen83 ◴[21 Oct 25 19:06 UTC] No.45660189[source]
I am from the same team & i can concur with what you are saying. I did see a warning about the same key that was used in todays exploit about 2 years ago from some random person in an email. but there was no exploutation till yesterday.
replies(1): >>45663776 #
1. LeonardoTolstoy ◴[22 Oct 25 00:59 UTC] No.45663776[source]
This is it. I had the same thing happen to me a year ago and there was a month between the original access to our system and the attack. And similarly they waited until a perceived lull in what might be org diligence (just prior to thanksgiving) to attack.