WTF ... IS WTF!?
We are a collective of people who believe in freedom of speech, the rights of individuals, and free pancakes! We share our lives, struggles, frustrations, successes, joys, and prescribe to our own special brand of humor and insanity. If you are looking for a great place to hang out, make new friends, find new nemeses, and just be yourself, WTF.com is your new home.

Headlines Former AWS Engineer Arrested as Capital One Admits Massive Data Breach

ib4

Error
Staff
1,865
2,824
257


Before you read, a thought of mine: This women, tweeted, and comments on Github, boasting her actions. Now of course, its possible this is exactly how it all happened. But I am starting to think its also possible she was a patsy or something. Something is fishy that this engineer was stupid enough to go boasting about her actions on such common websites...

A massive breach of Capital One customer data has hit more than 100 million people in the U.S. and 6 million in Canada.

Thanks to a cloud misconfiguration, a hacker was able to access to credit applications, Social Security numbers and bank account numbers in one of the biggest data breaches to ever hit a financial services company — putting it in the same league in terms of size as the Equifax incident of 2017.

The FBI has already arrested a suspect in the case: A former engineer at Amazon Web Services (AWS), Paige Thompson, after she boasted about the data theft on GitHub.

According to a criminal complaint filed in the Western District of Washington’s U.S. Attorney’s Office, the intrusion occurred between March 19 and July 17 via a “misconfigured web application firewall.”

The illegally accessed data, which was stored on cloud servers rented from AWS, was primarily related to credit-card applications made between 2005 and early 2019, by both consumers and businesses. These include a raft of personal information, such as names, addresses and dates of birth; and financial information, including self-reported income and credit scores.

According to Capital One, no credit-card account numbers or log-in credentials were compromised and only about 140,000 Social Security numbers are impacted, meaning that “over 99 percent of Social Security numbers” were untouched, the company said. In Canada, about 1 million social insurance numbers were compromised.



-------------------------------------
More @ https://threatpost.com/aws-arrest-data-breach-capital-one/146758/
 

YogurtExplosion

Sniper Wolf
489
296
86
According to Capital One, no credit-card account numbers or log-in credentials were compromised and only about 140,000 Social Security numbers are impacted, meaning that “over 99 percent of Social Security numbers” were untouched, the company said.
That's the biggest lie I've ever heard.
 
  • 1LOL
  • 1Agree
Reactions: Crazizniac and ib4

BRiT

CRaZY
Founder
12,013
7,648
637
Another situation where the hacker was caught by supplying their own evidence, they talked about it via DM on a local hacker meetup group. The other recipient sent the info directly to Capital One.

They were compromised on Amazon Web Services by a Web Application Firewall account being hacked/leaked directly from Capital Ones network. This WAF account had access to 99% of all their Amazon Containers. This wasn't a misconfiguration, this was a major fuckup.
 

CoprophagousCop

Why am I seeing a panda in my avatar picture?
Premium
2,290
2,075
357
But isn't Capital One just renting the space on Amazon's servers. Wouldn't it be up to Amazon to maintain the servers and routers and firewalls ... ? :shrug:

The Cloud = Other people's computers
 

BRiT

CRaZY
Founder
12,013
7,648
637
No. It's up to the customer (Capital One) to configure what they rent out. Amazon has no idea WTF their customer needs are. The cloud is just renting of server capabilities. Amazon has no idea if Website A needs to communicate with Service B that talks to Database C or if Website A has to talk to Service Q that talks to Database Z. Or if Website A doesn't need any other communications.

Amazons own site on this: https://aws.amazon.com/waf/
 

ib4

Error
Staff
1,865
2,824
257
Another situation where the hacker was caught by supplying their own evidence, they talked about it via DM on a local hacker meetup group. The other recipient sent the info directly to Capital One.

They were compromised on Amazon Web Services by a Web Application Firewall account being hacked/leaked directly from Capital Ones network. This WAF account had access to 99% of all their Amazon Containers. This wasn't a misconfiguration, this was a major fuckup.
No. Incompetence on Capital One's part.

From what I understand... There is no reason to allow the account to have access to the actual data in your databases (Containers in cloud speak). This account should only be able to setup firewall rules.
Exactly what we were saying over here.
 

CoprophagousCop

Why am I seeing a panda in my avatar picture?
Premium
2,290
2,075
357
They [Capital One] were compromised on Amazon Web Services by a Web Application Firewall account being hacked/leaked directly from Capital Ones network. This WAF account had access to 99% of all their Amazon Containers.
So who had access to the Web Application Firewall account? Was this something that the Amazon Web Services engineer had access?

The people at Capital One made a (major) mistake, but did it take someone with Amazon Web Services know-how to notice it?