leak bucket

According to a statement by Capital One released on July 19, an unauthorized party gained access to the company’s customer data: approximately 106 million individuals in the United States and Canada. Data was stored in Amazon S3 buckets but accessed using Capital One infrastructure. Capital One admits that it was a misconfiguration of the web application firewall that allowed the attacker to acquire suitable credentials and use certain commands to obtain data. However, presumptive evidence suggests that it was due to Server-Side Request Forgery.

The Leak

The information that leaked pertained to consumers and small businesses that applied for Capital One credit cards from 2005 to 2019. It included personal information such as names, addresses, zip codes, phone numbers, email addresses, dates of birth, and self-reported income. The leak also included some credit card customer data, for example, credit scores, credit limits, balances, payment history, and contact information, as well as about 140,000 Social Security numbers and 80,000 linked bank account numbers.

Some of the accessed information was shortly available via a public account on GitHub. However, the scope of the leak is unknown. At this moment, it is not known whether the attacker shared more of the information via other channels with any third parties.

The Hack

On July 29, Seattle police arrested 33-year old Paige Thompson, having clear evidence that she is responsible for the hack. Thompson was previously an engineer working for Amazon (from May 2015 until September 2016).

According to the court records, the hack was caused by a web application firewall (WAF) misconfiguration, which permitted commands to reach the server and be executed. Thompson supposedly managed to obtain the security credentials for a WAF role which enabled her to access Amazon S3 bucket folders. This, in turn, let her list the bucket content and download (sync) the data. 

It is not clear what the security misconfiguration was. Some commenters are suggesting that it was an SSRF exploit – the WAF could have been accepting parameter values that were then used to expose IAM credentials via the EC2 metadata service. Unfortunately, Capital One (unlike for example Cloudflare) did not disclose the details of the misconfiguration that made the leak possible.

Thompson used two mechanisms to cover her tracks: TOR and IPredator VPN. These two methods would have made her very difficult to be identified. Unfortunately for her, Thompson’s later actions made her identity absolutely clear. First of all, she bragged about the hack on a public Slack channel without obfuscating her IP. She also mentioned that she used TOR and IPredator. Second of all, she placed the data on a GitHub account registered under her own name.

Thompson was turned in by one of her acquaintances who was aware of the data on GitHub and, most probably, was in contact with her via the public Slack channel. The anonymous party messaged Capital One offering help with tracking the hacker down.

The Motives

Capital One does not believe that Thompson had malicious intent and was aiming to steal from the clients of the company. Most facts seem to suggest that the hack was an attempt to seek attention. Possibly, it could have been in some way associated with her past work with Amazon.

Public behavior of Thompson also suggests that she is deeply troubled. Her tweets expressed a desire to be deported (possibly due to the recent mistreatment of transgender people in the US), and even a desire for medically-assisted suicide in Denmark. She appeared to be in heavy grief after a loss of a pet and the deportation of her Greek partner. This might also explain the erratic behavior that caused her to be so easily identified.

Tomasz Andrzej Nidecki
Principal Cybersecurity Writer
Tomasz Andrzej Nidecki (also known as tonid) is a Primary Cybersecurity Writer at Invicti, focusing on Acunetix. A journalist, translator, and technical writer with 25 years of IT experience, Tomasz has been the Managing Editor of the hakin9 IT Security magazine in its early years and used to run a major technical blog dedicated to email security.