Who was to blame for what looked like a DDoS attack on the AA? That would be … the AA

From lost keys to dead batteries, UK car insurance giant the AA says it’s “here for everyone”. Except, that is, when it stalls its servers with a self-inflicted distributed denial of service (DDoS) attack.

As The Register reports, on Monday, the AA accidentally sent out a “password update” email to customers.

You can imagine the response: password update? What password update? Do I have to update my password?

Concerned motorists want to know! So they all floored it over to the site to change their passwords.

…creating a traffic jam, overwhelming the AA’s servers and running them clear off the road. The Register said that Brits were “furious” when they couldn’t access their profiles, fearing that their accounts had been hijacked, with hackers having gone in and changed their passwords.

The AA didn’t help matters much with its first Twitter communique, which sounded for all the world like a massive phishing attack was under way:

No, nobody changed anybody’s passwords. That email wasn’t supposed to go out, the business said next:

Customers were flummoxed. The site was turning them away, yet the business said it didn’t change passwords – so what’s the deal?

No, really, nobody changed your password, the AA said. Just give us a minute, we’re working on this!

…And while we’re at it, one commenter said, what’s going on with that database leak?!

That was likely in reference to a tweet, also on Monday, about 13GB of exposed database backups. The tweet came from Troy Hunt, security researcher and exposed-database wrangler extraordinaire:

So OK, a randomly sent, DDoS-spawning, not-a-phishing-attack email, followed by news about an exposed customer database that AA didn’t inform customers about?

No, no, no, the much-explaining AA said, that exposed database was trivial, nothing to worry about, and has been taken care of!

So…. just a stray email? Not a phishing attack? Sent by who, exactly? The Register suggested maybe an inexperienced staffer pressing the wrong button or something like that, rather than hostile hacker action… maybe?!

Well, it wouldn’t be surprising, if it were in fact a rookie mistake. And honestly, if it were the fault of a fat-fingered newbie, it wasn’t all that bad, as mistakes go.

True, there were frustrated customers galore, judging by the Twitter sputtering. But hey, any day that doesn’t end in blowing up a company’s live production database, getting fired, and then facing legal action after only one measly day on the job – and yes that’s a true story! – well, comparatively, this one is small potatoes!