To AWS support staff,
I kept an open subscription to AWS at the base level but did not actively use it for any actual production or commercial activity. Someone gained unauthorized access and create a lightsail instance in Dec 2025 and Jan 2026 under my account; surprisingly bypassed the MFA login preventing even I gaining access due to a wrongly formatted phone number. Only by direct contact with AWS support with my authentic credential (phone number and answer to security questions), I was able to re-gain access to find out details of the unauthorized use of my account to spin up the LightSail instance. This led to the believe that my account was accessed illegal by an insider who monitor inactive accounts and choose to abuse mine for personal purposes; which luckily I found out due to notification of overdue to an expired creditcard.
To prevent any further charge; I have removed the lightsail server instance. Can these charge be reviewed and refund those, my CC-card was charged already.
This isn’t a support queue. Open a support case in your account.