- Newest
- Most votes
- Most comments
Hi, it sounds like someone has got access to your account's root user if they were able to change the main email address. Have you been logging in only as the root user, or so you have an IAM user you can still use to get in? AWS advise always applying MFA to the root user and then not using it except in emergencies; you're right about it being way too easy to be locked out if you don't do that.
There are three ways to login as root if you've set them up. Firstly the email address + password + (hopefully) MFA. Failing that, "alternate factors" where you are contacted on the account email address and phone number, but this doesn't help if the email address has changed. Failing that, contacting AWS and using your security questions & answers - if these are set up and whoever broke into your account hasn't reset them, you can get root access this way.
Beyond that I believe you may be able to get access via some legal attestation process but I've never been there so don't know for sure.
I got the same problem and dont know what to do. I'm thinking on change my card
I need several help please
Relevant content
- asked 2 years ago
- asked 7 months ago
- AWS OFFICIALUpdated 4 years ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 2 years ago
Agreed, I quickly emailed the abuse link and contacted some folks on chat... I think it is way too easy for someone to hijack and way too hard to get someone to help... BUT once I got some help we quickly got the account restored and does not appear to be any malicious activity before I got it back.
I think Amazon should amend the login page to recommend the MFA, I run a few lightsail instances and am not a sophisticated user, I would have appreciated a warning to activate MFA or at the least some sort of check against password and email changing....
I also noted a large amount of bogus ssh attempts ( before this ) seems as though that is somewhat common as all 3 of my servers had roughly same in logs. On ubuntu this was the command sudo less /var/log/auth.log
Glad it worked out! I strongly recommend that you immediately: