Software programs are automatically scraping the popular code repository GitHub for private keys that can unlock Amazon Web Services accounts to help generate Bitcoins.
And one developer who accidentally published his keys on GitHub racked up a $2,375 AWS bill, care of the automated “bots.”
DevFactor founder Andrew Hoffman said he was using an application on GitHub called Figaro, which posted his Amazon S3 keys to his GitHub account. He noticed the blunder and pulled the keys within five minutes, but that was enough for a bot to pounce on the credentials.
"When I woke up the next morning, I had four emails and a missed phone call from Amazon AWS - something about 140 servers running on my AWS account," Hoffman said.
Amazon refunded his bill, as it has done for others whomped by similar scams