URGENT: my account was hacked (Case ID XXXXXXXXXX) - Bill 24k USD
Hi everyone, I need help urgently!! my account was hacked on March 20th and billing is around 24k USD, I raised the case on March 24th when I notice the problem, but, the case in AWS Support has not so much progress. I did the following actions:
- Modified password and MFA
- Removed users and groups that I dont recognize
- Released the dedicated hosts that were created under my account (17)
- Removed other components (like Elastic IP) that was not created by me
I dont know what else must I do now, I have 2 days waiting for a reply from AWS Support but it is taking long and I'm totally desperate now, can't sleep with this issue :'(
Anyone that can help me, with more instructions to secure my account and/or escalating the case, my main concern is about the billing amount, unfortunately I can't affort pay for it, my account was mainly for testing, explore and implement University homeworks. How can I demonstrate that these configurations were not created by me?
I will be very grateful with any help!
*edited: Removed Case ID -— Brian D.
Don't panic. It should get sorted out soon.
I'm sorry to hear this is happening. I've passed along your concerns to our support team working your case. Please continue to work with them through your case, as they are best tooled to resolve your issue.
For your security, please refrain from sharing PII such as your account number or case ID.
— Brian D.
Hi , Sorry to hear it had happened. While you have already raised the support case , here are some guidelines for compromised accounts. Also make sure you setup Billing alarms on your account, so that for any amount that goes above the threshold that you are not comfortable with, AWS will send you a notification immediately.
• Rotate and delete all root and AWS Identity and Access Management (IAM) access keys. • Delete any potentially unauthorized IAM users, and then change the password for all other IAM users. • Check your bill. Your bill can help you identify resources that you didn't create. • Delete any resources on your account that you didn't create, such as Amazon Elastic Compute Cloud (Amazon EC2) instances and AMIs, Amazon Elastic Block Store (Amazon EBS) volumes and snapshots, and IAM users. Note: Before deleting your resources, consider if you have a regulatory or legal need to investigate those resources. If so, consider keeping a few snapshots of EBS resources. • Enable multi-factor authentication (MFA) on the root user and any IAM users with console access. Enabling MFA can help you to secure the accounts and prevent unauthorized users from logging in to accounts without a security token. • Verify that your account information is correct. • Respond to the notifications that you received from AWS Support through the AWS Support Center.
Root account no permissionsAccepted Answerasked 2 months ago
Data transfer cost on VPC peering with different AWS accountsAccepted Answerasked 2 years ago
My AWS account has been hacked over a week and the support ticket is "unassigned". Billing charges are still being generated and I have no support to stop it from AWS.asked 5 months ago
URGENT HELP, Name correction for AWS examasked 2 years ago
Why was my EC2 Instance deleted from my account?asked 2 years ago
AWS Public Prices in EURasked a month ago
Account hacked, still charged with billasked 4 months ago
Missing Instanceasked 2 years ago
My AWS account has been hacked over a week and it generated a bill of $2845 in last two days of Feb and $3431 in March. In just 15 days, this amount got generated.asked 2 months ago
URGENT: my account was hacked (Case ID XXXXXXXXXX) - Bill 24k USDasked 2 months ago