I received an email from Amazon Web Service notifying me that there were suspicious unauthorized activities in my account. Apparently my access key was exposed. It happened because I made public one of my private repos, one of the side projects I started and abandoned months ago, in which I stupidly left the AWS access key.
The unauthorized person(s) created 20 Windows instances on each of regions. By the time I received the e-mail notification from AWS, those instances had been running for about two hours. I deleted the exposed access key, and turned off all the instances as soon as possible. Not soon enough unfortunately since I got another email 4 hours after the incident alerting my usage billing exceeded 50 USD (the number I set up). Way over 50 USD. Let's just say it completely ruined my excitement of Apple Keynote.
Bad people are EVERYWHERE
This incident has given me a chance to understand how the celebrities might feel when their private photos were stolen lately. I said "stolen" because the celebrities did not upload their photos voluntarily to public space. Somebody broke into their personal online space and took their private files without the owner's permission. Would you blame yourself for keeping money at home when someone broke into your house and stole your money?
My case was not exactly the same since I accidentally exposed the key to my online space. But good people would not enter your house when they find your key lying on the ground. It reminds me when I forgot my room's key and left it hanging on the door a long time ago here in Japan. My neighbor, with whom I never talked, kept the key and returned it to me. That was how good people behave.
Mistake as an experience
I always have a hard time to come up with an answer for my own hypothetical question: What is your biggest mistake or unfortunate event in life? I can now proudly answer that this incident was my biggest mistake yet. Even so, I realized that this unfortunate event is nothing compared with all the terrible things happening all around the world right now.
As obvious as it seems, I learned few things from this mishap.
- Never ever expose your key.
- Act swiftly upon receiving suspicious activities alert.
- Delete keys if you're not using them anymore.
A glimpse of hope
When I woke up this morning, I found another email from Amazon replying to my plea to refund or to cancel the excessive billing. They said they will monitor my account for 24 hours prior to submitting a refund request on my behalf. Crossing fingers now.
UPDATE September 11, 2014
Amazon just contacted me that as a one-time exception, they'll fully refund the bill! d=(´▽｀)=b