Your Amazon Web Services Account Email Has Been Updated

0

I got an email mentioning the above with the below, looks like my credentials have been compromised and someone changed the details apparently without requiring any confirmation of OTP or otherwise... I submitted via can't login as I cannot login to create a ticket !!... Doesn't seem that this should be so hard to report and get assistance with... Any advice ??

Why doesn't any change require an OTP or confirmation of some sort ? This seems way too easy to be locked out.

Greetings from Amazon Web Services,

As you requested, the email address associated with your AWS account has been updated.

Old email address: xxxxxxxxxxxxxx@xxx.xxx

New email address: Txxxxxxx@teleworm.us

To view or edit your account settings, please visit the “My Account” page at

https://console.aws.amazon.com/billing/home?#/account.

1 Answer
0

Hi, it sounds like someone has got access to your account's root user if they were able to change the main email address. Have you been logging in only as the root user, or so you have an IAM user you can still use to get in? AWS advise always applying MFA to the root user and then not using it except in emergencies; you're right about it being way too easy to be locked out if you don't do that.

There are three ways to login as root if you've set them up. Firstly the email address + password + (hopefully) MFA. Failing that, "alternate factors" where you are contacted on the account email address and phone number, but this doesn't help if the email address has changed. Failing that, contacting AWS and using your security questions & answers - if these are set up and whoever broke into your account hasn't reset them, you can get root access this way.

Beyond that I believe you may be able to get access via some legal attestation process but I've never been there so don't know for sure.

EXPERT
answered a year ago
profile pictureAWS
EXPERT
kentrad
reviewed a year ago
  • Agreed, I quickly emailed the abuse link and contacted some folks on chat... I think it is way too easy for someone to hijack and way too hard to get someone to help... BUT once I got some help we quickly got the account restored and does not appear to be any malicious activity before I got it back.

    I think Amazon should amend the login page to recommend the MFA, I run a few lightsail instances and am not a sophisticated user, I would have appreciated a warning to activate MFA or at the least some sort of check against password and email changing....

    I also noted a large amount of bogus ssh attempts ( before this ) seems as though that is somewhat common as all 3 of my servers had roughly same in logs. On ubuntu this was the command sudo less /var/log/auth.log

  • Glad it worked out! I strongly recommend that you immediately:

    • Put MFA on your root user and stop using it
    • Use only an IAM User, again with MFA
    • Make sure you have all three ways to login as root established and working.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions