{
	"id": "944d3d72-8a99-41ca-a4e1-bbeaae6905cf",
	"created_at": "2026-04-29T08:21:53.278187Z",
	"updated_at": "2026-04-29T10:41:57.131511Z",
	"deleted_at": null,
	"sha1_hash": "53fe1a2b150140977f6c36aef82780c0f698956d",
	"title": "Attackers Scrape GitHub For Cloud Service Credentials, Hijack Account To Mine Virtual Currency",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 97300,
	"plain_text": "Attackers Scrape GitHub For Cloud Service Credentials, Hijack\r\nAccount To Mine Virtual Currency\r\nBy Runa A. Sandvik\r\nPublished: 2014-01-14 · Archived: 2026-04-29 07:21:25 UTC\r\nRich Mogull, CEO at information security research and advisory firm Securosis, was working on a piece of code\r\nto accompany his presentation at the upcoming RSA Conference when he accidentally published the credentials\r\nfor his AWS account--Amazon's cloud computing service--online. A mistake that would later cost him $500.\r\nOfficial Litecoin logo (from http://commons.wikimedia.org/)\r\nIn a blog post titled \"My $500 Cloud Security Screwup\", Mogull writes that he only learned about the issue when\r\nhe received an email from Amazon's AWS team one evening. The email said that both his access and secret key\r\nwere publicly available on GitHub, a web-based hosting service for software development projects. In addition,\r\nthe AWS team had reason to believe someone used the credentials to set up a number of unauthorized servers in\r\nthe Amazon cloud.\r\nAs soon as he had read the email, Mogull logged on to his AWS account and found that the perpetrators had set up\r\nno fewer than ten extra large cloud instances; five on the U.S. west coast, another five in Ireland. All instances had\r\nbeen running for 72 hours, which, Mogull writes, \"means the bad guys found the credentials within about 36 hours\r\nof creating the project and loading the files\" on GitHub.\r\n\"The attackers didn’t mess with anything active I was running,\" Mogull writes in the blog post. \"That got me\r\ncurious, because 10 extra large instances racking up $500 in 3 days initially made me think they were out to hurt\r\nme.\" As it turns out, the attackers were using his Amazon account to mine Litecoin, an alternative cryptocurrency\r\ncreated two years ago with a $600 million market cap.\r\nhttps://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/#242c479d3196\r\nPage 1 of 2\n\nThough the attackers did try to clean up their tracks, further analysis of one cloud instance revealed that not only\r\nwere they using Tor to connect to the server, they also used Tor to connect to a Litecoin mining pool running as a\r\npreviously unknown Tor Hidden Service. While most connections to the server appear to be coming from the Tor\r\nnetwork, there are successful login connections from one host in Latvia and another in China.\r\nIn the blog post, Mogull concludes that attackers \"are scraping GitHub for AWS credentials embedded in code\r\n(and probably other cloud services),\" and use these to launch instances and mine virtual currencies, such as\r\nBitcoin and Litecoin.\r\nMogull has since updated the post to say that Amazon has reached out and reversed the charges.\r\nMary Camarata, Amazon's Global Director of Public Relations, confirmed in an email that they monitor GitHub\r\nand similar sites as part of their operating procedures. \"What the blogger experienced is basic fraud,\" she wrote.\r\n\"To help protect our customers, we operate continuous fraud monitoring processes and alert customers if we find\r\nunusual activity.\"\r\nMogull says he considers himself lucky and writes that he is only out \"45 minutes of investigation and\r\ncontainment effort.\" While the attackers would not have been able to lock him out of his own account, they could\r\nhave cost him considerably more time and money.\r\n-\r\nYou can follow me on Twitter and email me (GPG public key).\r\nSource: https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-vi\r\nrtual-currency/#242c479d3196\r\nhttps://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/#242c479d3196\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/#242c479d3196"
	],
	"report_names": [
		"#242c479d3196"
	],
	"threat_actors": [],
	"ts_created_at": 1777450913,
	"ts_updated_at": 1777459317,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/53fe1a2b150140977f6c36aef82780c0f698956d.pdf",
		"text": "https://archive.orkl.eu/53fe1a2b150140977f6c36aef82780c0f698956d.txt",
		"img": "https://archive.orkl.eu/53fe1a2b150140977f6c36aef82780c0f698956d.jpg"
	}
}