No clever hackery just plain old social engineering. It’s all down to Staff Training. If you’d like to implement a staff training program give us a call.
The most worrying bit to me is how the Amazon marketing approach of just one account really doesn’t work well if the account is used for Trivial & Ultra Important things all at once.
In the words of @jb….
This attacker started with Amazon because he knew that a commerce shopping site’s customer support would be relatively easy to convince and use to gain access to my account. However, that same site offers cloud services that many startups rely on to host their data. My startup, Droplr, is completely based on Amazon’s stack, from using EC2 servers where we host all of our technology to S3, which we use for file storage. This attacker had access to all of it. I was extremely lucky that in his rush to gain access to @jb, he didn’t think to check if my account had anything under AWS.