|
|
|
|
Tell HN: AWS does not require email confirmation for email or password changes
|
|
18 points
by schneiderscode
1264 days ago
|
|
|
Hey everyone, I created a new AWS account over the weekend for a hobby project. Tonight I got an email that my password and email had both been changed. I hadn't set up MFA yet simply because I hadn't even used any resources. I'm just shocked that Amazon doesn't even send a "Hey we're about to lock you out, is this okay?" email before allowing someone to completely take over. As for the compromise, waiting to hear back on how this happened. I confirmed the password I used isn't in haveibeenpwned. A keylogger seems unlikely since none of my other sensitive accounts have had issues. Just in utter disbelief that account changes would be allowed without any confirmation. |
|
|