Hacker News new | past | comments | ask | show | jobs | submit login

I think the parents question was why they wait for the customer to do something instead of blocking/rotating the compromised credentials once they became aware of their existence.

E.g. I remember reading that Amazon even scans Github for AWS credentials proactively now, since this happened all the time.




Obviously they don't want to break their customer's production system without asking.


True. It should be in the TOS that exposed api keys are subject to being revoked to prevent abuse. At least for certain services, and certain types of tokens.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: