Hey everyone,<p>I created a new AWS account over the weekend for a hobby project. Tonight I got an email that my password and email had both been changed. I hadn't set up MFA yet simply because I hadn't even used any resources.<p>I'm just shocked that Amazon doesn't even send a "Hey we're about to lock you out, is this okay?" email before allowing someone to completely take over.<p>As for the compromise, waiting to hear back on how this happened. I confirmed the password I used isn't in haveibeenpwned. A keylogger seems unlikely since none of my other sensitive accounts have had issues. Just in utter disbelief that account changes would be allowed without any confirmation.