A few weeks ago startup Code Spaces shut down after a distributed denial of service (DDOS) attack followed by attempted extortion followed by the attacker accessing the company’s Amazon(s amzn) Web Services’ EC2 control panel and deleting data when the company did not pay up. Bye bye Code Spaces.

It is a nightmare scenario no matter how you cut it, but similar incidents have cropped up — albeit not with such dramatic results. Security experts say typically in these other cases a user inadvertently posts his or her AWS account root key somewhere public — on Github or StackOverflow for example –and miscreants seize on that to spin up free (well, free to them anyway) computing resources. The goal here isn’t extortion or stealing data — it’s free IT IT.

Recently an unnamed company said someone was able to spin up tens of thousands of dollars worth of “rogue” AWS instances in faraway regions. AWS issued…