Also contained in the configuration file were two sets of Amazon AWS access keys, one set for development and one set for production. So what did I do next? Nothing. Although I know I could have used the keys to spin up new servers, SSH in to existing ones, or completely destroy them, I decided against even testing if they worked. An important part of security research is knowing when to stop. I went far enough to prove how serious the issue is, and demonstrate what a malicious attacker could do, while not being overly careless or intrusive.