The fastest way to get CISSP Certified. Join our bootcamp
On July 17, 2019, Capital One received the following email through its responsible disclosure program:
Hello there,
There appears to be some leaked s3 data of yours in someone’s github / gist…
The email then linked to Paige A. Thompson’s Gist repository. Capital One investigated the repository and found that it had 700 buckets of data that had been stored on a server at Capital One’s cloud provider, Amazon Web Services (AWS). Alongside these buckets was the code for three commands:
- The first command would obtain security credentials for the *****-WAF-Role account (part of the account name has been redacted), which could then access Capital One’s buckets on the AWS server.
- The second command would list the names of the buckets and folders stored on Capital One’s AWS server.
- The third command would copy data from the buckets and folders that the *****-WAF-Role account had permissions for.
Capital One confirmed that these were its buckets of data from the AWS server, and that the commands worked to copy the data. It also found that the web application firewall for the server was misconfigured, which allowed the commands to be executed on the server via a server-side request forgery (SSRF) attack. Capital One checked its logs and found that the intruder first tried to gain access to its data on March 12. On the 22nd, the attacker copied some data from the buckets, but the bulk of the data was copied on April 21. The data included about 106 million credit card applications from US and Canadian customers. It contained a wealth of personal data, some of which had been tokenized to protect it. However, the cleartext information included:
- Names
- Addresses
- Dates of birth
- Credit history information
On top of this, around 140,000 Social Security numbers and 80,000 bank account numbers were also compromised.
There is no evidence that the attacker ever sold or published the stolen data. In case you missed it, all of this was posted on the hacker’s GitHub page that included her own name. She also sent messages that made reference to the hack on Twitter. Needless to say, the hacker isn’t going to win any awards for their OpSec. Ultimately, she pled guilty to wire fraud and a number of other hacking-related charges. She served over 100 days in jail and received five years of probation.
Capital One’s customers were lucky that their data wasn’t sold on the darknet, but it was still a serious breach on behalf of the company. A more nefarious individual could have caused substantial harm to the customers, just by listing it on a marketplace.
CISSP Certification in 1 Week
Study everything you need to know for the CISSP exam in a 1-week bootcamp!
Microsoft 365 Botnet Attack: The Need for Advanced Authentication Security
A botnet of 130,000+ devices is targeting Microsoft 365, exploiting non-interactive sign-ins to bypass MFA. Attackers use stolen credentials and Basic Authentication, still enabled in some environments. Organizations must monitor these logins and update security policies to stay protected Read more.
