locked out of its own infrastructure, watching the bill climb
En la era digital, las puertas que se dejan abiertas por descuido no permanecen cerradas por mucho tiempo. Una empresa de San Sebastián descubrió esta verdad de la manera más costosa posible cuando atacantes desconocidos explotaron una cuenta de administrador olvidada para acumular 700.000 euros en cargos de computación en la nube durante siete días, en lo que se ha convertido en el mayor ciberataque documentado en Gipuzkoa. El incidente, que terminó en litigación contra Amazon y en una resolución casi milagrosa, revela cuánto depende la seguridad colectiva de los hábitos más mundanos: una contraseña descuidada, una cuenta sin eliminar, un momento de olvido.
- Una alerta rutinaria reveló que el gasto mensual habitual de entre 300 y 1.000 euros se había disparado a 100.000 euros diarios, convirtiendo una mañana ordinaria en una crisis sin precedentes.
- Los atacantes no solo entraron: vincularon la infraestructura virtual a cuentas externas, dejando a la empresa técnicamente bloqueada y sin capacidad de apagar sus propias máquinas durante siete días.
- Mientras el equipo técnico observaba impotente cómo el daño se acumulaba en tiempo real, los atacantes minaban criptomonedas con la potencia computacional secuestrada, convirtiendo el caos en beneficio propio.
- En el séptimo día, un especialista vinculado al seguro cibernético de la empresa encontró los comandos precisos para forzar el apagado, poniendo fin a un asedio que había costado 700.000 euros.
- Amazon, tras investigar, reconoció un fallo en su propia plataforma que permitía la vinculación no autorizada de cuentas, y asumió casi la totalidad del coste; los atacantes, en cambio, desaparecieron sin dejar rastro rastreable.
- El caso llega en un momento en que Ziur advierte que los ciberataques globales se han triplicado en tres meses, convirtiendo esta experiencia en un presagio más que en una excepción.
Una empresa de San Sebastián se despertó una mañana con una factura de nube que crecía sin control. Lo que parecía una alerta menor se convirtió en el ciberataque más grave documentado en Gipuzkoa: siete días de asedio digital que acabarían en los tribunales contra Amazon.
El origen fue la negligencia. Años atrás, alguien había creado una cuenta de superusuario para pruebas y simplemente la había olvidado. Tenía privilegios administrativos completos y una contraseña débil. Los atacantes la encontraron mediante fuerza bruta y, una vez dentro, actuaron con precisión quirúrgica: lanzaron máquinas virtuales de inmediato, como quien conoce de memoria la distribución de una casa ajena.
Lo más devastador vino después. Cuando la empresa intentó detener las máquinas, el sistema de Amazon lo rechazó: los atacantes habían vinculado la infraestructura a cuentas externas, haciendo que la empresa pareciera no ser la propietaria legítima de lo que corría en su nombre. Cada solicitud de apagado rebotaba. La factura diaria alcanzó los 100.000 euros.
Durante siete días, el equipo técnico vivió en pánico contenido, viendo el daño acumularse sin poder frenarlo, mientras los atacantes minaban criptomonedas con la potencia computacional robada. Al séptimo día llegó un especialista del seguro cibernético que encontró los comandos exactos para forzar el apagado. La factura final: 700.000 euros.
Meses de negociación legal siguieron. La empresa argumentó que Amazon había fallado en la gestión del incidente y que existía un error de programación que permitía la vinculación no autorizada de cuentas. Amazon lo reconoció y asumió casi todo el coste; la pérdida real de la empresa fue de apenas 1.000 euros.
Los atacantes desaparecieron por una red de servidores y VPN en Rusia y Asia, jurisdicciones donde la cooperación internacional en cibercrimen es escasa. Se quedaron con las criptomonedas. El caso llegó justo cuando Ziur anunciaba que los ciberataques globales se habían triplicado en tres meses: ya no es una anomalía, sino una advertencia sobre lo que está por venir.
A San Sebastián company discovered one morning that its cloud bill had spiraled into the hundreds of thousands of euros. What began as a routine alert—the kind that usually means nothing—became the most severe cyberattack documented in the region, a seven-day siege that would eventually pit the company against Amazon in court.
The breach started with negligence. Years earlier, someone had created a superuser account for testing purposes and simply forgotten to delete it. The account carried full administrative privileges. The password was weak—the kind of thing that looks secure to tired eyes but crumbles under systematic pressure. Attackers used brute force tools, machines that methodically try combination after combination until the lock gives way. Once inside the administrative panel, they moved with precision, launching virtual machines and spinning them up immediately. They knew Amazon's infrastructure the way a burglar knows a house.
But the real trap came next. The company's systems detected the problem almost at once. Normal monthly spending hovered between 300 and 1,000 euros. Within hours, consumption had tripled. An alert fired. Someone should have been able to shut it down. Instead, when the company tried to kill the machines, Amazon's system refused. The attackers had linked the virtual infrastructure to external accounts and entities—a technical sleight of hand that made the company appear to have no ownership over what was running in its own name. Every shutdown request bounced back: you are not the legitimate owner. The company was locked out of its own infrastructure. The daily bill climbed to 100,000 euros.
For seven days, the systems team lived in a state of controlled panic. They could see the damage accumulating in real time but could not stop it. The attackers, meanwhile, were quietly mining cryptocurrency on the company's dime, using the computational power they had seized. On the seventh day, a specialist arrived—someone connected to the company's cyber insurance policy, trained for exactly this kind of nightmare. This technician found the precise commands needed to force a shutdown, to override the locks the attackers had put in place. The machines went dark.
The final bill was 700,000 euros, accumulated over one week.
What followed was months of legal negotiation. The company argued that Amazon had failed to manage the incident properly, that there was a flaw in the platform itself—a programming error that allowed unauthorized account linking in the first place. Amazon, after investigation, agreed. The company had been negligent with its own credentials, yes, but the platform had a genuine vulnerability. Amazon accepted responsibility and covered nearly the entire cost. The company's actual loss came to roughly 1,000 euros.
The attackers, by contrast, vanished. Their trail led through multiple server hops and VPN networks across Russia and parts of Asia—jurisdictions where international cooperation on cybercrime is sparse or nonexistent. They kept the cryptocurrency they had mined. A week's worth of stolen computing power, converted to digital currency, was enough to make the risk worthwhile.
The incident arrived as a warning. Ziur, the industrial cybersecurity center in Gipuzkoa, had announced just days before that cyberattacks globally were tripling over the previous three months. The San Sebastián company's experience was no longer an outlier. It was becoming the shape of things to come.
Citas Notables
The attackers linked the machines to external AWS accounts, making the company appear to have no ownership over what was running in its own name— Technical analysis of the attack method
Cyberattacks globally are tripling over the previous three months— Ziur, Gipuzkoa's industrial cybersecurity center
La Conversación del Hearth Otra perspectiva de la historia
How does a company not notice a forgotten admin account sitting in its systems for years?
Because it works. The account was created for testing, used once or twice, then ignored. No one thought to audit it. It's like leaving a spare key under the mat—you forget it's there until someone uses it.
And the password was just weak?
Embarrassingly weak. The kind of thing that looks fine in the moment but falls apart under any real pressure. Brute force attacks aren't clever—they're just patient. Try enough combinations and you get in.
But the company detected the attack almost immediately. Why couldn't they just turn it off?
That's the sophisticated part. The attackers linked the machines to other AWS accounts. When the company tried to shut down what they thought was theirs, Amazon's system said no—you don't own this. It was a lock within a lock.
So they were trapped watching the bill climb?
Exactly. A hundred thousand euros a day. For seven days. They could see it happening in real time and couldn't stop it.
How did it finally end?
A specialist with the right knowledge found the override commands. But by then the damage was done.
And Amazon paid for it?
Most of it. They acknowledged the platform had a flaw. But the attackers? They're gone. They got paid in cryptocurrency and disappeared into networks where no one can touch them.
So the company was lucky?
In a way. They could have lost everything. Instead they lost almost nothing. But luck isn't a strategy.