My AWS Account Got Hacked - Here Is What Happened

This title could be clearer and more informative.Try out Clickbait Shieldfor free (5 uses left this month).

A cloud architect shares a detailed account of how their personal AWS account was compromised through an exposed access key in a NextJS application. The attacker created IAM users, launched EC2 instances for crypto-mining, flooded the victim's inbox with spam to hide AWS notifications, and attempted to use SES for phishing. The post walks through the detection process, containment steps, timeline reconstruction using CloudTrail, and root cause analysis. Key lessons include proper secret management, enabling GuardDuty, avoiding root user access, and responding quickly to suspicious activity.

#security

#aws

#nextjs

#iam

Nov 02, 2025•15m read time•From zviwex.com

Table of contents

2-3 hours before realizing 1 hour before realizing Realizing!First 1-2 hours - understanding the severity Hour 3 - Incident analysis Hour 4 - finding the breach Summary - Chronological attack flow Who is the attacker? What was their purpose?Insights Epilogue