This story is still breaking, but early indications are that:

1.  An attacker at AS10297 (or a customer thereof) announced several more
specific subsets of some Amazon DNS infrastructure prefixes:

205.251.192-.195.0/24 205.251.197.0/24 205.251.199.0/24

2.  It appears that AS10297 via peering arrangement with Google got
Google's infrastructure to buy (accept) the hijacked advertisements.

3.  It has been suggested that at least one of the any cast 8.8.8.8
resolvers performed resolutions of some zones via the hijacked targets.

It seems prudent for CAs to look into this deeper and scrutinize any domain
validations reliant in DNS from any of those ranges this morning.