Root account hacked and Email updated

2

Hi , My root account hacked where he updated email and continuous using services,Have created multiple CASE on support ,but still not getting resolution. any help to speed up this?

  • Please see my comments below. However did you ever get access back to your account? The support we are getting (or lack thereof) is appalling. I have reached out via LinkedIn to the Head of Customer Support in ANZ and provided 80 pages of email and correspondence between AWS and ourselves. AWS say its fixed but its not and they have taken it upon themselves to close the ticket. Seriously. WHAT HAPPENS NOW?

  • May I ask how this turned out for you? Same thing happened to me and I am struggling.

  • I recently have the same issue. April 11, 2023 5:14AM My time. I recieved an email saying that AWS has detected an unusual log in activity. April 11, 2023 5:16AM My time. I recieved an email saying that my account email was changed to be new weird email.

    I did not noticed this acitivity untilI found that there is a transaction in my credit card one day later that is charged from AWS.

    They not even ask for verification code for changing the email. It looks so easy when someone just took my account.

    When trying to restore password. It said my account (with my email) does not exist.

11 Answers
2

We have had the same issue here. There are 3 people in the world who have access with an extremely complex password that is not recorded anywhere and yet the Email address attached to our account was changed without our consent or knowledge. So how could anyone break the user name and complex passwords?

When I ask AWS this we get nothing. We are a very security conscious organization with procedures in place for password protection. As I said the account details are not recorded anywhere except with AWS. And noting some other posts on various forums are saying the same thing occurred with them on the same day. Possible security breach AWS?

Now we have been locked out for 5 days with all services down and bluntly nothing but lip service from AWS. They run around like headless chooks and al you get is "stock standard responses" without any real action occurring. So far my bill from my client is $48,000 for the SLA we have in place. At the rate this is going and lack of genuine concern (Other than stock standard replies) it will take weeks to fix.

I expect in view of the legal letters we have from the client the $100,000 a year contract is about to be terminated. At the rate of responses from AWS the SLA will be over $100,000 in any event.

Lots of polite talk from AWS but no action.

Appalling behavior without consequence. Well AWS, 2 people have already been laid off 7 days before Xmas because you can't bother to fix this. A business is about to lose everything because you refuse to deal with this promptly and efficiently.

I will not be able to take legal action because I don't have the money to fight this giant and they know this. Disgraceful.

I should also point out that as our mail server was hosted on our account and hacked we did not have access to the account email so they refused to answer despite providing both legal information and a Stat Dec to prove our identity. We were then forced to quickly build a new mail server (on Azure) and recreate our accounts just so they would listen to us. Again more money out the door.

With the AWS system it appears easier to hack the solution than prove you are the actual owner. It is shame they did not take the question of changing email addresses and password as seriously as they do to prove you actually own the account!

answered 2 years ago
  • I am facing the same and dont know how many people facing the same issue. My ticket is not yet closed and for resolution they asking me to add payment method.

  • I recently have the same issue. April 11, 2023 5:14AM My time. I recieved an email saying that AWS has detected an unusual log in activity. April 11, 2023 5:16AM My time. I recieved an email saying that my account email was changed to be new weird email.

    I did not noticed this acitivity untilI found that there is a transaction in my credit card one day later that is charged from AWS.

    They not even ask for verification code for changing the email. It looks so easy when someone just took my account.

    When trying to restore password. It said my account (with my email) does not exist.

  • And my password is not too simple

2

I have a similar issue , the support center conveniently closes your case without resolving it. So fed up with them.

answered 2 years ago
2

I have the same problem, almost a month ago, I already filled out the form, I've exchanged more than 30 emails with support and they can't solve my problem, I've never seen such bad support in my life. Please someone help me. I had to create another account putting another credit card, to be able to write in this topic. And I'm afraid they'll clone this account too. What a sad service you guys provide with support.

answered 2 years ago
2

Hi, i receive the mail "Your Amazon Web Services Account Email Has Been Updated" but i don't ask to change my mail!! My account is hacked! I just provide to lock the credit card assocatiated to my aws account. I write to support 2 times but i don't receive any feedback. Plese provide to restore the correct account acccess with temporary password.

Daniele
answered a year ago
1

It all started with mail received from Amazon web Services with Subject "Your AWS account compromise". I simply ignored bearing rhe fact that, I am not using the account from last 4 years and thought it might be a spam/phising mail. At the start of next month, I received another mail with bill amount $87.41 approximately 263790.24 INR. When i tried to login I found my password goy changed along with MFA mobile number. Thats raises a question, AWS mfa is as good as account without MFA. I raised support ticket and aws team disabled MFA temporarily and asked me to reset my password and try. Thankfully able to login again to see, unauthorized resources been triggered (ECS containers in 3 different regions) which costed this heft bill amount. From cludwatch taril logs it is quite evident that it was via root account ( question is AWS root account is not secure with MFA then what other security option one is having). I replied to support case after deleting all unauthorised resources. Support team insisting me to add payment method since my credit card trough which I registered my account expired (Question is luckily it got expired else the unknown aws hacker might have debited amount from my credit card). In every reply they forcing me to add payment method to keep my account active and assist further and then settling the bill amount. Luckily, there system not allowing me to add update credit/debit card but only netbanking with few registered bank. I added the same. The response was shocking, you either to to edit the payment method and match existing one. Trust me - you peole understand it yourself who is the culprit.

answered a year ago
1

I am in exactly the same situation as Daniele. My account has been hacked and the email address associated with it has been changed. The support team is not able to help me, and they don't even seem to understand the situation. I have opened at least 10 tickets regarding this issue.

egehan
answered a year ago
0

I recently have the same issue. April 11, 2023 5:14AM My time. I recieved an email saying that AWS has detected an unusual log in activity. April 11, 2023 5:16AM My time. I recieved an email saying that my account email was changed to be new weird email.

I did not noticed this acitivity untilI found that there is a transaction in my credit card one day later that is charged from AWS.

They not even ask for verification code for changing the email. It looks so easy when someone just took my account.

When trying to restore password. It said my account (with my email) does not exist.

Submitted ticket to Compliance team and did not even recieved any email confirmation or ticket number to say that my case is being taken care of.

I need to register my new account with the same email to comment here.

answered a year ago
0

Hi,

I just had the exact same thing happened to me. My password is 25+ characters long, and I've not used this account for over 4 years, thus it's very unlikely due to a compromised credentials.

Everything seems to be recovered (was empty anyway), but I'm very curious how this might have happened?

J

jov
answered 2 days ago
-3

I'm sorry to read this. The only thing I can think of would be to contact your card company to try to block further charges against your card?

I know this is too late but if you have any other accounts I would strongly advise configuring MFA and following other steps highlighted on the IAM best practices page: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html

Good Luck!

answered 2 years ago
-4

Hello,

I'm sorry to hear this! It sounds like you've already filled out the following contact form to reach our Support team: http://go.aws/account-support.

I recommend refraining from creating additional cases to prevent any confusion or delay in receiving assistance. Our Support team has the proper tools to help recover your account. They will also be able to assist with any account or billing questions you may have.

As we take security very seriously, this process may take some time to investigate and resolve. Thank you so much for your patience while our agents work on your case.

Best regards,

Kita B.

profile pictureAWS
EXPERT
answered 2 years ago
  • Is there a time to response, for customer to have an answer or confirmation that their request was received and is under review? Thank you

-4

Good day.

I am sorry to hear the issue you are having.

First, if your root account was compromised then please:

  1. As was stated earlier, if you have already opened an AWS support account, then please refrain from opening additional cases as this may cause a delay in response.

  2. If you do not have access to the account, then please create a NEW account and open a ticket to AWS Support using Support Center, referencing the account that was compromised and providing the e-mail address that was compromised.

  3. If this was a linked account, or an account within AWS organizations, then please open a ticket via support center from the payer account.

Once access to the account (root user access) has been restored, please ensure you follow practices in this guide: https://aws.amazon.com/premiumsupport/knowledge-center/potential-account-compromise/

Again, please correspond on the initial support case opened so our internal teams can rapidly support you during this issue. Ensure all details specific to your account, yourself, and the security event are kept within the Support ticket.

Sincerely,

Jason H.

AWS
Jason_H
answered 2 years ago
  • Hi Jason, I have this exact same issue. Support ticket 9435149501. I got an email from AWS saying that the email associated with my account had been changed. I did not authorize this, so I had to create a new account like step #2 above, and opened a ticket, and called support. They wouldn't help me because I could not recall the account number!! Surely there has to be some kind of log showing that this happened. Then over the weekend I see a $7600 USD charge on my credit card from AWS. So I opened Support ticket 9435149501. Support doesn't seem to understand the issue and I am really stressing out over this. I've cancelled the card so they can't do anymore damage. I've provided the transaction ID on the ticket. It should be glaringly obvious that the account generating that charge is the hacker and needs to be shut down immediately.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions