←back to thread

Ask HN: Our AWS account got compromised after their outage

391 points kinj28 | 1 comments | 21 Oct 25 15:55 UTC | HN request time: 0.25s | source

Could there be any link between the two events?

Here is what happened:

Some 600 instances were spawned within 3 hours before AWS flagged it off and sent us a health event. There were numerous domains verified and we could see SES quota increase request was made.

We are still investigating the vulnerability at our end. our initial suspect list has 2 suspects. api key or console access where MFA wasn’t enabled.

Show context
timdev2 ◴[21 Oct 25 17:03 UTC] No.45658257[source]
I would normally say that "That must be a coincidence", but I had a client account compromise as well. And it was very strange:

Client was a small org, and two very old IAM accounts had suddenly had recent (yesterday) console log ins and password changes.

I'm investigating the extent of the compromise, but so far it seems all they did was open a ticket to turn on SES production access and increase the daily email limit to 50k.

These were basically dormant IAM users from more than 5 years ago, and it's certainly odd timing that they'd suddenly pop on this particular day.

replies(3): >>45659427 #>>45663754 #>>45672001 #
tcdent ◴[21 Oct 25 18:13 UTC] No.45659427[source]
Smells like a phishing attack to me.

Receive an email that says AWS is experiencing an outage. Log into your console to view the status, authenticate through a malicious wrapper, and compromise your account security.

replies(4): >>45659478 #>>45659699 #>>45664258 #>>45665835 #
SoftTalker ◴[21 Oct 25 18:16 UTC] No.45659478[source]
Good point. Phishers would certainly take advantage of a widely reported outage to send emails related to "recovering your services."

Even cautious people are more vulnerable to phishing when the message aligns with their expectations and they are under pressure because services are down.

Always, always log in through bookmarked links or typing them manually. Never use a link in an email unless it's in direct response to something you initiated and even then examine it carefully.

replies(4): >>45662463 #>>45663256 #>>45663324 #>>45668083 #
Sebb767 ◴[22 Oct 25 12:33 UTC] No.45668083[source]
> Always, always log in through bookmarked links or typing them manually. Never use a link in an email unless it's in direct response to something you initiated and even then examine it carefully.

If you still want to avoid the comfort of typing in stuff manually or navigating the webinterface, logging in on a new tab and then clicking on the link is also an option.

replies(1): >>45668706 #
morkalork ◴[22 Oct 25 13:20 UTC] No.45668706[source]
Mini-rant here but I hate how websites for SaaS products are so over-optimized for the sales funnel. It's like giant blue button to sign up, teeny tiny link to login, if there is even one at all on any of the main pages. Often your access is on an entirely different subdomain that barely ranks on Google. If it's something that "just works" and you only access every 6 months, it's pain to go hunting through your email to rediscover if it's clients.example.com, portal.example.com, or whatever the heck it is.
replies(1): >>45669167 #
1. rtkwe ◴[22 Oct 25 13:51 UTC] No.45669167[source]
I hate how many sites do that, always a signup first then a small little "Already have an account" link below that. Feels almost hostile to your existing users.