Tragic story – AWS hacked account

76 points by nouxious ↗ HN
My son got into an accident last August and suffered a severe traumatic brain injury that left him hospitalized for months.

In that time, I received an email from AWS warning me that my account had been hacked.

It goes without saying that I didn't check my emails daily when my son was dying.

That very small account (*$20/month) turned into several thousand dollars.

I contacted AWS for assistance. Although they acknowledged that my account had been hacked, they refused to waive the bill and demanded full payment.

If you were in my position, what would you do?

34 comments

[ 2.6 ms ] story [ 90.6 ms ] thread
I would try to get a different support agent first and see if their tone changes
I had 6 agents in total. They were all tone deaf. It feels like I am corresponding with a bot.
None of them wants to lose their job or benefits. It's easier to get rid of you by handling you to the next rep enough times to frustrate you. They won't get into trouble for not solving your issue - they did their jobs perfectly.

Financial harm is the single language Amazon understands. Let lawyers talk to Amazon and they most likely won't be thrown around between 1st line reps.

If it’s any consolation the enterprise support guys aren’t any better.

Threatening to move to Azure is about the only move that works.

Make it viral. This will definitely help. Wish you best luck in this case
As far as I know, AWS does not take debts to court.

Just remove the credit card from the account and let them suspend it indefinitely. Beware that you will lose anything you had stored on the account.

If you really need Amazon, set up a new account with a new email address, although I'd stay away from AWS.

It would be helpful if you explain why you would stay away from aws.
Not paying a debt and walking away isn't a criminal offence.

Signing up again under a different name to continue using the service you have been banned from could be considered fraud by misrepresentation, which in most places is a fairly serious criminal offence (even though it is very unlikely to be prosecuted in this case).

Cybercrime aside, AWS is almost always not worthwhile for small business or individual use. Issues like opaque billing, devops complexity and vendor lock-in go away immediately if you switch to Digital Ocean or one of the many simpler and cheaper cloud providers. Unless you are building something that is specific to AWS, relying on AWS as individual/small company is like buying enterprise router from Cisco or Fortinet for your home network - technically nothing is stopping you from doing so, but it's an overkill.
I also recommend removing all payment methods and forgetting about Amazon.

Just make sure to store any emails and support protocols that indicate that the account was recognized as hacked. This will be important if you ever have to deal with the debt in mediation/court.

It is called recurring payment scam. Amazon chose to extend credit by letting your account build up instead of suspending your account. You did not ask for a thousands of dollars credit line.

I would write a letter to your state attorney generals office telling them that scamazon web services is running a recurring payment scam in your state. Probably the AWS managers running this are foreigners and dont give a shit about this country's laws.

> Probably the AWS managers running this are foreigners and dont give a shit about this country's laws.

Incredible.

Ask someone from Bopal, it's unbelievable that a corporation would disrespect the local law where they do business.
Please don’t use someone else’s tough situation to further your tirade.
I’d not pay and then sue if they took it to collections or counter sue if they took it to court.
Email jeff@amazon.com. Although he's stepped back as president and CEO, I've heard that someone still monitors that email, and that serious issues get routed to a team that can actually take care of them.

It's worth a try, in any case, and it doesn't seem like you have much to lose, especially given their acknowledgement that your account was hacked.

There is already some actionable advice in this thread – I would suggest that you also call a lawyer to talk it through and see what they have to say. They might be able to contact AWS on your behalf.
I ran into this situation earlier this year, minus the horrific personal tragedy, I hope he's in a better condition now, I'm deeply sorry about having to go through that.

I called AWS To deactivate my account in May of 2020 because I was going through some medical hardships and wouldn't be able to maintain anything on there for awhile and I wanted to double check that I wasn't going to keep getting charged if I forgot to manually turn something off. I thought all went well and it would be turned off, until I checked my bank around a few months ago and noticed I was still getting charged for AWS.

I spent 3 weeks trying to get support to why I was still getting charged and for much more than I had ever set uo, but they wouldn't tell me anything because none of my emails matched any accounts they had on record. I finally got a support person to slip when I told her the name of my company and she said it was similar to the email on file, but that it was a Gmail account. I've never made a Gmail account for my business and I was the only one that ever had access to the AWS account. I don't know how someone could have gotten into the account and changed the email, but I couldn't log in and the only thing I could do was have my credit card company cancel the charges (which could only go back 3 months) and prevent new charges. I'm still baffled about how this happened, but I've moved to GCP and will never go back, those 3 weeks were insanely frustrating.

I wanted to fight tooth and nail, just because I'm sick of ultra-large corps' ability to get away with stuff like this, but my wife was worried about Amazon's retaliation and not being able to use Amazon to buy things which is half the problem. I don't really have any advice, but maybe if enough people share their stories something will make it to a headline.

Are there no consumer advocacy organizations that normal people have access to?
If anyone in that circumstances then would not pay the bill and tries to know the reason behind demanded full payment and raise complaint against AWS.

Anyone in need of personal or corporate investigation then visit at https://www.spydetectiveagency.com

How is your son doing?
> ... when my son was dying.

Unfortunately :(

People use that word when they are grave danger of death, not necessarily means that he died, right?
You are technically right, but it would be unlikely ("when I thought my son was dying" would have been a more likely expression).

While I would certainly hope for it to not be true, out of respect I would not focus on this side of the story regardless.

First, i'm sorry for your son.

I've been hacked a few years ago. But it was in the several tens of thousand of dollars (for me in a matter of hours). I've deactivated my account while the hacker was using it.

It took a stressful week to settle the matter with AWS. And not at any point i've been in a position to influence anything. I was just there for the ride. In the end they erased the debt.

A few years after that, i've reactivated my account. Some leftover resources were there, so i cleaned but i missed some, resulting in another charge, less expensive. I've requested to be reimbursed. First they objected, but then with some references to the previous incident i gave them they complied.

Do not give up. Do not pay.

1. If you put credit card, do chargeback and put your card on hold. Do not accept payment unless your lawyer tell you to do so.

2. Hire a lawyer. Make sure lawyer is competent in objecting all collection agencies.

3. Make it go viral. Try to reach out community to make story around it, like https://twitter.com/quinnypig

> If you put credit card, do chargeback and put your card on hold.

I'm sorry, but this is poor advice.

As per the Visa website, definition of a chargeback:

     "A chargeback (otherwise known as a dispute) is a way for your bank that issued your card to reclaim money from the retailer’s bank when you do not get the goods or services you paid for, including if the retailer or supplier has gone out of business."
Therefore:

     - If the cardholder knowingly signed up to AWS, then this is not a vaild reason for a chargeback.
     - If the cardholder knowingly activated chargeable AWS services, then this is not a vaild reason for a chargeback.
     - If AWS delivered the activated chargeable AWS services as requested, then this is not a valid reason for a chargeback.
     - In AWS case, did the cardholder take sufficient steps to secure their account (most banks these days have a security clause in their agreements).
The correct and only way to solve this is through entering discussions with AWS. And, if you are insistent on spending money on lawyers, don't waste the lawyer's time on card chargebacks, get the lawyer to engage with AWS Legal instead.

Don't abuse / misuse credit card chargebacks. It only ends up making life more difficult for the rest of us because the only thing that will happen is banks and card issuers will make people jump through even more hoops to "prove it".

AWS was defrauded into delivering services that the account holder did not request. Those services were not delivered to the account holder but instead the fraudster. Therefore a charge back is appropriate in order to "reclaim money from the retailer’s bank when you do not get the goods or services you paid for".
Disagree, but if in doubt get a good lawyer and follow their advice instead of some strangers from the internet.
Except that, pragmatically, credit card companies will refund the money if they want to keep your business. The way to resolve this is whatever way returns your money. I don’t need to look out for your best interest when I’m fighting for money that’s owed to me. That’s a ridiculous statement
Sorry for your lost.

For others, how do I prevent this? Any tips? Thanks.

- use a hardware MFA device like Yubikey (note: you can only register one hardware device, because AWS fucked up their implementation)

- if you can't use hardware MFA for whatever reason, use TOTP (this allows backing up your MFA)

- don't use the root account for anything other than creating less privileged users (ideally create an admin user that can do that, and never use your root account anymore, and only use the admin account to set up users)

- the other users should use the principle of least privilege (only access to actions X, Y to resources Z, Ż, Ź)

- if you can at all get rid of using access keys (e.g. via using roles), then do so

- if you can't, never share them with anybody (don't commit it to git repos, that's for sure)

The two first points are crucial, and I've never heard of an account fully compromised without sharing access keys that had MFA set up.

For more details:

https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practi...