A leading-edge research firm focused on digital transformation.
Subscriber Account active since
Chris Chin, a Seattle entrepreneur who creates mobile apps for local publishers, woke up on New Year’s Day to an alarming alert from his Amazon Web Services account. It said he owed more than $53,000 for a month’s worth of hosting, a far cry from his typical $100 to $150 bill.
“I was just shocked and started freaking out,” Chin said in an interview with Insider.
The size of the bill, which Insider has confirmed, led Chin to suspect that he had been hacked by cryptocurrency miners, who can run up huge charges for the raw computing power needed to produce even small amounts of digital currencies like Bitcoin.
Cryptocurrency mining attacks aren’t new in the world of cloud computing. But the soaring value of many of the most popular cryptocurrencies since the start of the pandemic has supercharged the incentives for hackers who are able to commandeer the cloud-computing accounts of unsuspecting developers. Google reported late last year that 86% of account breaches on its Google Cloud platform were used to perform cryptocurrency mining.
Targets of these attacks told Insider that the cloud services providers, like AWS, Google Cloud, and Microsoft Azure, have tended to shift the blame for cryptocurrency mining attacks onto customers, saying breaches are the result of users’ misconfigured settings or lack of account security. The companies reiterated that blame. A spokesperson for Google referred Insider to company research indicating that customers’ poor security practices or “vulnerable third-party software” were responsible for nearly 75% of cloud account breaches. Microsoft’s spokesperson declined to respond to questions.
An Amazon spokesperson said in a statement that AWS is “secure by default.” AWS support teams “work closely” with customers whose accounts have been compromised to “address the individual circumstances surrounding any unauthorized charges,” the spokesperson said.
AWS points to its “shared responsibility model,” which states that Amazon is in charge of the infrastructure but customers are responsible for security, to justify why users may be on the hook for a portion of the bill racked up by hackers.
For users, though, that means a one-time mistake or unexpected breach can put them face-to-face with potentially crippling debt.
Chin was eventually told AWS may waive most of the charges. From reading the experiences of other AWS customers in similiar situations, he worries he could still owe 25% of the more-than-$50,000 bill. Even that could be ruinous for Chin, who says his business’s revenue has plummeted during the pandemic.
“We’re a small business struggling to keep afloat,” Chin said. “I feel stressed because if we get hit with the bill, we’re gonna have to close the business.”
Hackers have been compromising cloud-computing accounts to mine cryptocurrency for nearly a decade, but the payoff has never looked more lucrative than in the past two years. The value of Bitcoin and Ether reached all-time highs last November as the market for blockchain-based assets ballooned.
At the same time, the amount of computing power needed to mine cryptocurrencies has increased, creating “perverse incentives” for hackers who are able to access computing resources as cheaply as possible, said Bruce Schneier, a security expert at Harvard’s Berkman Klein Center for Internet & Society.
Last month, Jonny Platt, founder of SEO Scout, posted a Twitter thread describing $45,000 in charges from a crypto hack and little response from Amazon. By his calculation, the hacker used his account to mine just $800 worth of the cryptocurrency Monero. (Platt said Amazon eventually agreed to waive his $45,000 tab as a “one off exception.”)
Earlier this month, a California college student who said he had only used AWS for a small school project described on Reddit how he was billed $55,000 after his AWS account was hacked.
“I’m a student and just lost almost all my savings meant for tuition,” he said.
Most of the examples reviewed by Insider were for Amazon Web Services charges, but customers of Microsoft Azure and Google Cloud have also seen sky-high bills as the result of these types of “cryptojacking” hacks. A Missouri-based tech firm was charged $760,000 after hackers broke into its Microsoft Azure account, according to a federal indictment filed last month in Missouri. A Google Cloud customer posted on the message board Hacker News in 2019 that they had been charged $14,000 for a hack.
Adjudicating who should pay for the cloud usage fees when an account has been compromised is not straightforward, experts say. While cloud computing providers tend to blame user error, the providers’ own security is not perfect.
In general, software giants should err on the side of protecting their least-savvy users, said Tony Anscombe, chief security evangelist for internet security company ESET.
“AWS provides options to secure an account, such as app based multi-factor-authentication,” Anscombe said. “But in a scenario where the customer is not knowledgeable enough to understand the risk and protect an account using the options available then the responsibility falls back to the supplier to educate the customer on the need for the optional security to be implemented, or to make it mandatory.”
Amazon typically ends up waiving nearly all fees run up by hackers, said cloud billing consultant Corey Quinn, but not everyone may know that — and navigating AWS customer support can be arduous, especially for smaller customers. Quinn pointed to the 2020 suicide of a 20-year-old Robinhood trader, who mistakenly believed he owed $730,000, as a sign that huge bills can still cause damage, adding that AWS should enact more safeguards.
Users need to have the option of preventing AWS from billing them above a certain amount each month, Quinn said. “Don’t let me do anything that will cost more money until I affirmatively say yes,” he said. “Once they let people express intent around what the account is for, a lot of the problems go away.”
AWS does allow customers to set up an alert when usage reaches a certain level, and Chin said he had set up an alert to notify him if there were $200 in charges. But he did not hear from Amazon until his bill was much higher.
Chin said he was baffled that AWS didn’t detect the suspicious activity and notify him sooner.
“They are the most advanced data company in the world,” Chin said. “Obviously something is wrong and they should have caught that. The hacker spent more in a day than I have in the last year.”
Chin said he had to jump through hoops larger customers of AWS can bypass by getting access to phone support, which would cost him thousands of dollars a month he does not have. Nearly two weeks after first reporting the charges, Chin is still on edge as he waits for a resolution.
“I’m hopeful that Amazon will do the right thing,” Chin said. “They also have to keep working to protect and educate customers so this doesn’t happen to anyone else. It can ruin people.”
Do you work at Amazon? Contact reporter Katherine Long via encrypted messaging apps Signal/Telegram (+1-206-375-9280) or email ([email protected]).
Got a tip? Contact reporter Ben Bergman at [email protected] or on Twitter @thebenbergman.
Reach out using a non-work device. Check out Insider’s source guide for other tips on sharing information securely.
Crypto Mining Hacks Leave Amazon Cloud Customers With Huge Bills – Business Insider
A leading-edge research firm focused on digital transformation.