Tell HN: AWS does not require email confirmation for email or password changes
Hey everyone,
I created a new AWS account over the weekend for a hobby project. Tonight I got an email that my password and email had both been changed. I hadn't set up MFA yet simply because I hadn't even used any resources.
I'm just shocked that Amazon doesn't even send a "Hey we're about to lock you out, is this okay?" email before allowing someone to completely take over.
As for the compromise, waiting to hear back on how this happened. I confirmed the password I used isn't in haveibeenpwned. A keylogger seems unlikely since none of my other sensitive accounts have had issues. Just in utter disbelief that account changes would be allowed without any confirmation. Interested how it happened. Was the password unique?