They used the same mechanism of using common crawl or other publicly available web crawler data to source dns records for s3 buckets.