I have had a number of GCP accounts over the past 5 years, but this last month I have appeared to have been hacked. As a result there are resources that I cannot remove that Google Support refuses to help with. What do I do? This hacker has run up a very large bill, and I do not have the resources to pay it. It would be crazy to me that I would be the first person to run into this issue so advice is welcome.
Google has no support, and when you do not pay they will brick every Google account you have.<p>Start a Google Takeout immediately if you have any personal data, and if you use Gmail then update all accounts to a non-Google email address.<p>Google Takeout: <a href="https://www.lifewire.com/what-is-google-takeout-4173795" rel="nofollow">https://www.lifewire.com/what-is-google-takeout-4173795</a>
I wouldn't worry.<p>You just did exactly what you needed to do! Post to HN and hope the thread gets enough upvotes to reach the frontpage to find a human at Google.
Ouch. What resources can you not remove? What exactly are you running?<p>In general, as first thing stop the bleeding:<p>1. Stop your services from running<p>2. Check your IAM policies for anything suspicious, new service accounts, new users. Clean up.<p>3. Rotate all your Service Accounts and Service Account’s keys! If possible re-provision your machines (with a new SA) and redeploy your apps.<p>4. Check your VPC’s firewall<p>Then you absolutely need to figure out how you’ve been hacked. If the breach is on the application layer you must figure out where and patch it. Check your application logs.<p>Then check your GCP activity logs, search for unexpected calls from service accounts - assume the attacker has compromised a service account and search for attempt to persist with calls to `setIam` or other sensitive api calls.<p>Sorry, I’m on mobile but feel free to reach out If you need (email in profile)
I’m just here for the support. There is definitely someone here lurking that could definitely help :)<p>Also, I’ve seen a trend of terrible google support. Is this the norm?