URGENT: my account was hacked (Case ID XXXXXXXXXX) - Bill 24k USD

0

Hi everyone, I need help urgently!! my account was hacked on March 20th and billing is around 24k USD, I raised the case on March 24th when I notice the problem, but, the case in AWS Support has not so much progress. I did the following actions:

  • Modified password and MFA
  • Removed users and groups that I dont recognize
  • Released the dedicated hosts that were created under my account (17)
  • Removed other components (like Elastic IP) that was not created by me

I dont know what else must I do now, I have 2 days waiting for a reply from AWS Support but it is taking long and I'm totally desperate now, can't sleep with this issue :'(

Anyone that can help me, with more instructions to secure my account and/or escalating the case, my main concern is about the billing amount, unfortunately I can't affort pay for it, my account was mainly for testing, explore and implement University homeworks. How can I demonstrate that these configurations were not created by me?

I will be very grateful with any help!

*edited: Removed Case ID -— Brian D.

  • Don't panic. It should get sorted out soon.

2 Answers
1

I'm sorry to hear this is happening. I've passed along your concerns to our support team working your case. Please continue to work with them through your case, as they are best tooled to resolve your issue.

For your security, please refrain from sharing PII such as your account number or case ID.

— Brian D.

profile pictureAWS
EXPERT
answered 2 years ago
1

Hi , Sorry to hear it had happened. While you have already raised the support case , here are some guidelines for compromised accounts. Also make sure you setup Billing alarms on your account, so that for any amount that goes above the threshold that you are not comfortable with, AWS will send you a notification immediately.

• Rotate and delete all root and AWS Identity and Access Management (IAM) access keys. • Delete any potentially unauthorized IAM users, and then change the password for all other IAM users. • Check your bill. Your bill can help you identify resources that you didn't create. • Delete any resources on your account that you didn't create, such as Amazon Elastic Compute Cloud (Amazon EC2) instances and AMIs, Amazon Elastic Block Store (Amazon EBS) volumes and snapshots, and IAM users. Note: Before deleting your resources, consider if you have a regulatory or legal need to investigate those resources. If so, consider keeping a few snapshots of EBS resources. • Enable multi-factor authentication (MFA) on the root user and any IAM users with console access. Enabling MFA can help you to secure the accounts and prevent unauthorized users from logging in to accounts without a security token. • Verify that your account information is correct. • Respond to the notifications that you received from AWS Support through the AWS Support Center.

https://aws.amazon.com/premiumsupport/knowledge-center/potential-account-compromise/

AWS
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions