[JDEW]

> We believe that a highly sophisticated individual was able to exploit a specific configuration vulnerability in our infrastructure. When this was discovered, we immediately addressed the configuration vulnerability and verified there are no other instances in our environment.

In other words, someone didn't put a password on their S3 database exposed to the internet...

[julsimon]

S3 is not a database, but that's not the point. As explained by Capital One, the attacker gained access through a misconfigured web app. This could have happened on any platform (on-premise or cloud), and the underlying AWS services weren't compromised in any way.

[gm_fan_boi]

They would probably argue S3 is a product targeted at sophisticated people, by virtue of knowing how S3 operates you are sophisticated.

[dharmab]

From reading news sites they were compromised by an Amazon employee, exploiting a bad WAF role.

[julsimon]

An ex-AWS employee, who left 3 years before the facts took place.