from Hacker News

Ask HN: My GCP Account Has been Hacked What do I do?

by dkroy on 7/9/20, 12:55 AM with 5 comments

• by posguy on 7/9/20, 1:10 AM

  Google has no support, and when you do not pay they will brick every Google account you have.

  Start a Google Takeout immediately if you have any personal data, and if you use Gmail then update all accounts to a non-Google email address.

  Google Takeout: https://www.lifewire.com/what-is-google-takeout-4173795

• by GuardLlama on 7/9/20, 1:16 AM

  I wouldn't worry.

  You just did exactly what you needed to do! Post to HN and hope the thread gets enough upvotes to reach the frontpage to find a human at Google.

• by gbrindisi on 7/9/20, 10:34 AM

  Ouch. What resources can you not remove? What exactly are you running?

  In general, as first thing stop the bleeding:

  1. Stop your services from running

  2. Check your IAM policies for anything suspicious, new service accounts, new users. Clean up.

  3. Rotate all your Service Accounts and Service Account’s keys! If possible re-provision your machines (with a new SA) and redeploy your apps.

  4. Check your VPC’s firewall

  Then you absolutely need to figure out how you’ve been hacked. If the breach is on the application layer you must figure out where and patch it. Check your application logs.

  Then check your GCP activity logs, search for unexpected calls from service accounts - assume the attacker has compromised a service account and search for attempt to persist with calls to `setIam` or other sensitive api calls.

  Sorry, I’m on mobile but feel free to reach out If you need (email in profile)

• by rxsel on 7/9/20, 6:40 PM

  I’m just here for the support. There is definitely someone here lurking that could definitely help :)

  Also, I’ve seen a trend of terrible google support. Is this the norm?