A YC-Backed Startup Left Production AWS Keys Public for 5 Months(benzimmermann.dev)
benzimmermann.dev
A YC-Backed Startup Left Production AWS Keys Public for 5 Months
https://benzimmermann.dev/blog/pump-vdp-silence
3 comments
Probably vibe-coded their infrastructure.
Many such cases.
Many such cases.
Looks like the site 404s?
Exposed keys are a symptom; the real problem is infrastructure that's reachable from the public internet in the first place. The reason this keeps happening is that the standard solutions; VPNs and static IP whitelisting, have enough friction that small teams implement them poorly or skip them entirely.
If your backend systems aren't publicly reachable, a leaked key has nowhere to go. The secret leaks — but the infrastructure doesn't. The exception is services like S3 that are inherently public-facing — those still need their own access controls regardless.
I've been building something that tackles this directly (dynamic firewall management — writes your team's live IPs to security groups on login, removes them on logout). Happy to share more if anyone's curious.