In This Article, We Are Going To Cover What To Do When Your AWS Account Is Hacked? What To Do When Someone Changes Your AWS Account Root Email?

The first step is not to panic and follow the protocols. As neither your worry nor your panic going to bring your account back. So first step is to calm down and follow the steps mentioned below. Don’t worry about billing once you report the incident to AWS they will help to adjust those unauthorized charges.

Also, don’t be surprised that your account has been hacked. Our account was hacked from another country and Amazon did not stop them based on geolocation as Google does. The account was hacked during the USA nighttime. This means that the owner who is from the USA got an email, but could not act or respond. So don’t ever be under the impression that certain services or certain accounts can’t be hacked.

And remember no one..yes no one is going to help except AWS. Only AWS can help you and hence no need to contact any other person or company. Also, don’t go for any 3rd party services that promise to get back to your account.

Please note that this article is not about what to do to avoid hacking. This article is more about what you have to do when it happens. And Yes it does happen – It happened to us and it happened to others as well. So I am describing the steps that we took.

Steps That We Took

1. Contacted AWS: Conacted AWS using another account – so we have used another AWS account – you can use your colleague’s account or your friend’s account or your own but a different account. In that ticket, we mentioned that our AWS account was hacked. Did mention our Account Number, Email Address associated with AWS? Also when the email address of your root account is changing you would get an email notification from AWS. We even sent a screenshot of that as well. This way we made sure that we let AWS know that our account has been hacked. And requested them to please help us to recover at the earliest.
   
   We also filled out this form – And again we mentioned that our account is not in our control anymore.
   
2. One most important things we did was to contact Amazon via their Social Media handles on Facebook and Twitter and ask them to expedite the matter – they took their time – and contacting via social media helped.
   
3. After some time – We started a live chat with them using the same AWS ticket account. In Live chat, we explained the whole situation. I asked them to expedite the process of recovery and also expressed our concerns about unauthorized charges.
   
4. We waited for them to respond – and made sure that we replied to all communications from Amazon Support in a proper timely manner. Please note that AWS support does take time to verify your account to make sure what you have reported is true.
   
5. Next AWS is going to call and you verify all the details. It might take 24 hours for them to verify everything and if everything goes well – your account will be reactive. And what to do next is something that we all know. The important takeaway from these incidents is.
   
   – Keep patience – It’s tough but always keep patience as such situations are going to test your patience.
   
   – Always keep a back of all your resources – Maybe use services like cloud formation to have all your resources in exported format – so that you can use that either
   
   – We had EC2, and RDS instances in our account. We immediately took a backup by downloading them and setting up local copies up to date.
   
   – There is no contact number to contact AWS – so please don’t try that.
   
   – Remember You (the AWS account owner) and ONLY you and AWS can resolve this issue.
   
   – Please do change your passwords for Amazon.com as well.
   
   – Make sure you secure devices as well.
   
   – Make sure you change all possible passwords- like your email passwords and other important passwords.
   
   Below are some FAQs that will help you to act quickly