[nilved]

The instance was spun up on April 2, but Heartbleed wasn't disclosed for almost a week later. I highly doubt anybody used the Heartbleed 0-day to access your account.

[viseztrance]

According to Cloudflare (http://blog.cloudflare.com/answering-the-critical-question-c...), exploiting heartbleed may actually be very difficult. So yeah, it's very unlikely for that to have happened.

[dmix]

Well, getting an SSL private key is difficult as they don't often get into memory and are quite long (difficult to get from 64k at a time). Whereas AWS credential keys are something that get into your servers RAM much more frequently and are shorter strings. So it could easily be remote memory exploitation. But more likely social engineering or some other easy path in.

[ceejayoz]

People accidentally send those keys off to Github all the time. I'd suspect that sort of thing.

[mschuster91]

Heartbleed only exposed SSL memory (like incoming or outcoming connections), but not other memory (particularly not program memory), containing AWS keys.