Well, it finally happened. After years of playing fast and loose with API keys on GitHub, I’ve been hacked.
I woke up to an unusually large billing alarm from my AWS account. Since, the code running on this account was storing almost no data I thought this was a bit odd. So I logged in to my billing account and redirected to the service center to submit a claim and found this:
Well, the temporary limiting of my account didn’t appear to help much. The hacker had created about 20 m3.2xlarge EC2 instances and a 35gb snapshot for every. single. region. available on AWS (Mumbai, Tokyo, Ireland, the list goes on and on), using the keys I uploaded to GitHub. Needless to say, I spent this morning terminating all the EC2 instances, clearing the security groups, and deleting the public key from the account. Sounds like a blast right?
The funny thing is, the chunk of commented out code holding the keys was only a quick test written months ago, that I never used again, which is why I forgot it even existed in the code.
This was back when I was still learning the ropes. Now, whenever I need an API key, I immediately put it into a JSON file, and add that JSON file to the .gitignore for the project, so I don’t have to worry about this stuff while pushing and pulling. I’ve heard there are better tools out there for storing ssh keys, but I’m curious if there are any for API keys. If anyone has any suggestions I’d love to hear them in the comments.
I submitted a claim to get a refund for the charges, we’ll see what happens.
The charges racked up by the hacker ended up being $1100 by the time I managed to kill all the instances! I’ve since received this from Amazon AWS
Thank God from Amazon’s customer support. The hack was obviously my own fault, but they’re still willing to cover the costs.