391 points kinj28 | 1 comments | 21 Oct 25 15:55 UTC | HN request time: 0s | source

Could there be any link between the two events?

Here is what happened:

Some 600 instances were spawned within 3 hours before AWS flagged it off and sent us a health event. There were numerous domains verified and we could see SES quota increase request was made.

We are still investigating the vulnerability at our end. our initial suspect list has 2 suspects. api key or console access where MFA wasn’t enabled.

Show context

CaptainOfCoit ◴[21 Oct 25 18:09 UTC] No.45659367[source]▶

>>45657345 (OP) #

Is it possible that people who already managed to get access (that they confirmed) has been waiting for any hiccups in AWS infrastructure in order to hide among the chaos when it happens? So maybe the access token was exposed weeks/months ago, but instead of going ahead directly, idle until there is something big going on.

Certainly feels like an strategy I'd explore if I was on that side of the aisle.

replies(3): >>45660189 #>>45660584 #>>45662828 #

shadowpho ◴[21 Oct 25 23:00 UTC] No.45662828[source]▶

>>45659367 #

Wouldn’t this be a terrible time because everyone is looking/logging into AWS?

If my company used AWS I would be hyper aware about anything that it’s doing right now

replies(3): >>45663738 #>>45670051 #>>45671945 #

1. CaptainOfCoit ◴[22 Oct 25 14:53 UTC] No.45670051[source]▶

>>45662828 #

> Wouldn’t this be a terrible time because everyone is looking/logging into AWS?

Yes and no I suppose, it has trade-offs. On one hand, what you're saying is true for sure. But on the other hand, if you're currently trying to rescue a failing service, come across something that looks weird and you have a hunch you should investigate, but you're in the middle of fire-fighting, maybe you're more likely to ignore it at least until the fires been put out?

↑

Ask HN: Our AWS account got compromised after their outage