This seems like something they just never concidered until a really big client that was getting hammered told them they can stick the bill. So they are spinning it for good pr
This was actually because a small developer picked the name of their new S3 bucket that happened to collide with a default name of an open source package. Over one weekend they racked up $1300 charges and thousands of users attempted to upload to their bucket. Every call failed (invalid api key) but the developer was still charged.
I don't buy it. Unauthorized access attempts are a constant on the internet in general, and in AWS endpoints in particular. When anyone exposes an endpoint, it's a matter of minutes until it starts to get prodded by security scanners. I worked on a project where it's endpoints were routinely targeted by random people running FLOSS security scanners resulting in thousands of requests that were blocked either by rate-limiting or bad/lack of credentials. I don't believe that a single invoice of $1k would trigger such a sudden and massive change of heart, when accidental costs in AWS easily reach orders of magnitude above that price tag.