How to get robbed by insecure practices

Lesson learned after being hacked and billed $11,146.38 by Amazon Web Services in 17 days in April.

I was recently victim of an insecure malpractice in Rails involving Carrierwave, Fog, Amazon S3 and a Hacker. I wanted to share my story with other developers so that it doesn’t happen to someone else.

The Story

It’s Thursday, 3AM in Toronto. I go on my startup website before deploying and I realize that all the pictures are down. Alert: Something is wrong with my image hosting server. I then try to login in my AWS console and Amazon is telling me that my account has been shut down. ??? Still not sure what’s going on, I click everywhere and realize that the Bill & Payment page is still working ( of course..)… There, something terrifying is waiting for me…..

It’s been only 17 days in April, how the heck did my bill mount to that amount?

What Happened

I was recently overwhelmed with all my contract jobs so I hired a remote developer to help me with my startup. After asking him to sign a Non Disclosure…