NEW: Real-Time Usage Tracking for AI Agents — track Claude Code, Kimi, Codex & more. Try it free →

CostGoat Logo

CostGoat

Cloud · AWS · August 28, 2022

$213,000 — a hacked account ran Lambda in six regions overnight and support first said it was on you

Vendor

AWS

Service

AWS Lambda (plus CloudWatch)

Amount

$213,000 (reported)

Timeframe

Overnight; ~1 month to resolve

Cause

Compromised account

Outcome

Waived

Who's exposed: Anyone with an AWS account that has no spend cap. An attacker with your credentials can launch compute in every region at once, and a $1 budget does nothing because they can just remove it.

Resolution: After the thread drew attention, AWS's Executive Customer Relations team contacted the poster directly and revisited the invoice. Following about a week of back-and-forth, the entire invoice was waived. The poster confirmed with support that it was safe to do so and then deleted the AWS account. The waiver came only after public pressure raised the issue's visibility, not through normal support channels.

Self-reported, no billing screenshots posted. The poster later edited the thread to confirm the waiver, and dozens of commenters reported the same hacked-account pattern across the following two years. r/aws (by u/Mundungu)

What happened

A self-described AWS beginner, u/Mundungu, found their account compromised at the end of July. Overnight, over just a few hours, an attacker spun up AWS Lambda in region after region, including Tokyo, Sydney, Ireland, Paris, the US, and Sao Paulo, with hundreds of thousands of requests in each. Most of the charges were Lambda GB-seconds, with a few thousand more in CloudWatch fees. The poster got no notification until they opened a support ticket on July 28. The original bill came to $213,000. For about four weeks AWS support went back and forth, at first reassuring the poster that this kind of thing happens and not to worry, then shifting to say they were now liable for most of the amount and replying with copy-pasted messages that they had done everything they could. The poster took a day off work to look for an attorney and described it as one of the worst months of their life.

Root cause

The account was compromised through leaked credentials. The poster later linked the pattern to the Denonia malware, which targets AWS Lambda environments. Because AWS has no hard spend cap, credentials plus API access let an attacker fan out compute across every region in parallel and rack up six figures before any billing alert catches up. The poster had even set a $1 monthly budget while securing the account, but as they noted, an attacker inside the account could simply remove it. Billing metrics that feed alerts can lag hours to days, so overnight abuse is largely done before a threshold trips.

How to avoid it

Enable MFA on the root user and every IAM user, and rotate or delete any static access keys. Nearly every hacked-account story in this thread traced back to credentials an attacker could reuse; MFA and short-lived credentials cut off the entry point.

Close accounts you no longer use, and confirm the closure actually went through. The poster thought they had closed this account months earlier; a dormant, unwatched account is a free launchpad for abuse.

Set budget alerts and treat them as a tripwire, not a cap. There is no automatic spend limit, so alerts are the only early warning, and even those lag hours behind real usage.

CostGoat watches your AWS bills, so a surprise like this reaches you as an alert, not an invoice.

More Bill Shock stories

February 25, 2026

$82,314.44 — a stolen Gemini key turned a small monthly bill into a bankruptcy threat in 48 hours

April 30, 2025

$9,700 — a chatty microservice through one NAT gateway cost $9.7K in a month

January 15, 2025

$450,000 — a compromised key ran up 19 billion translations on Google Cloud

June 7, 2024

$96,000/wk — artists fled Meta's AI policies to Cara, and its serverless bill scaled as fast as its users

← All Bill Shock stories

AI Pricing

Gemini API PricingClaude API PricingGoogle Veo PricingAI Cost CalculatorsReplicate API PricingOpenRouter API PricingOpenRouter Free Models
DownloadsPricingDashboardContactIssuesAffiliatesTermsPrivacy

© 2026 CostGoat. All rights reserved.

Made by Functioncraft: Redis GUI Client · SSH GUI Client

Affiliate disclosure: Some links earn CostGoat a commission or credit when you sign up — no extra cost to you.