Ask HN: My GCP Account Has been Hacked What do I do?

27 pointsdkroy5y ago5 comments

I have had a number of GCP accounts over the past 5 years, but this last month I have appeared to have been hacked. As a result there are resources that I cannot remove that Google Support refuses to help with. What do I do? This hacker has run up a very large bill, and I do not have the resources to pay it. It would be crazy to me that I would be the first person to run into this issue so advice is welcome.

5 comments

posguy5y ago

Google has no support, and when you do not pay they will brick every Google account you have.

Start a Google Takeout immediately if you have any personal data, and if you use Gmail then update all accounts to a non-Google email address.

Google Takeout: https://www.lifewire.com/what-is-google-takeout-4173795

GuardLlama5y ago

I wouldn't worry.

You just did exactly what you needed to do! Post to HN and hope the thread gets enough upvotes to reach the frontpage to find a human at Google.

swagonomixxx5y ago

That's actually so sad.

gbrindisi5y ago

Ouch. What resources can you not remove? What exactly are you running?

In general, as first thing stop the bleeding:

1. Stop your services from running

2. Check your IAM policies for anything suspicious, new service accounts, new users. Clean up.

3. Rotate all your Service Accounts and Service Account’s keys! If possible re-provision your machines (with a new SA) and redeploy your apps.

4. Check your VPC’s firewall

Then you absolutely need to figure out how you’ve been hacked. If the breach is on the application layer you must figure out where and patch it. Check your application logs.

Then check your GCP activity logs, search for unexpected calls from service accounts - assume the attacker has compromised a service account and search for attempt to persist with calls to `setIam` or other sensitive api calls.

Sorry, I’m on mobile but feel free to reach out If you need (email in profile)

rxsel5y ago

I’m just here for the support. There is definitely someone here lurking that could definitely help :)

Also, I’ve seen a trend of terrible google support. Is this the norm?

j / k navigate · click thread line to collapse