An In-Depth Look at the Capital One Data Breach

Lawrence Amer
Axon Technologies
Published in
4 min readAug 15, 2019

Story

A Data breach to Capital One servers in March 2019 exposed the personal information of nearly 100 million of the bank’s customers. The breach resulted in the hacker gaining access to personal data related to credit card applications from 2005 to early 2019. Among the exposed data were names, addresses, DOBs, credit scores, social security numbers, and linked bank account numbers. Share price of the company tumbled nearly 6% the morning after the announcement of the breach, and is currently trading at around 83$, down from the 90$ share price of July 16. The company estimates that it will incur between 100mn$ and 150mn$ in costs related to the hack, including technology costs, customer notifications, and legal support.

On July 17, 2019, an unknown individual emailed Capital One’s Responsible Disclosure Department informing them that leaked S3 data belonging to the bank had been posted on Github. The e-mailer also provided the URL address of the file containing the leaked data. Surprisingly, personal information about the poster of the leaked data was publicly visible on the Github page. The ease of which the full name of the attacker, Paige Thompson, was revealed is out of the ordinary for a breach of this magnitude.

The FBI conducted an investigation that linked Paige Thompson directly to the breach. The investigation concluded that between March 12, 2019 and July 17, 2019, Thompson had accessed data containing information belonging to Capital One Financial Corporation without authorization and then published that data on her personal Github page which included her full name and address. She was later identified as a former cloud service employee at Amazon.

Thompson used an IP address controlled by IPredator, a company that provides VPN services. On June 27, 2019 an unknown user posted “Don’t go to jail plz”. This was followed by a reply by a user called <erratic>: “wa wa, I m like >ipredator>tor>s3 on all this shit”; and then: “I wanna get it off my server, that’s why I am archiving all of it lol”. Paige Thompson later made a statement on one of her social-media networks that she had data from Capital One.

Intrusion

After Capital One investigated the leaked and shared file, they determined that it contained the IP address of a specific server and that a firewall misconfiguration permitted the attacker to execute commands on that server via a type of attack classified as Server Side Request Forgery (SSRF). SSRF vulnerabilities let an attacker send crafted requests from the back end server of a vulnerable web application. Criminals usually use SSRF attacks to target internal systems that are behind firewalls and are not accessible from the external network. An attacker may also leverage SSRF to access services available through the loopback interface (127.0.0.1) of the exploited server.

This attack scenario started with the attacker accessing a metadata server [http://169.254.169.254] hosted on Amazon Web Services (AWS). The attacker was then able to retrieve various types of node information from the metadata server via HTTP interface such as IP Address, Location, and Host Name. She was also able to provision temporary credentials via access to other AWS services and permission policies defined in the Identity and Access Management (IAM) role for this AWS instance. Using all of the above information, the attacker was thus able to facilitate access to the server via SSRF.

1. Request: [http://169.254.169.254/iam/security-credentials]

2. Retrieved role name as ***-WAF-Role (Capital One Web Application Firewall for a specific network)

3. Request: [192.254.169.254/iam/security-credentials/***-WAF-Role]

4. Retrieve temporary credentials assigned to the AWS instance
AccessKeyId: “<access key>”
SecretAccessKey: “<secret key>”

Exfiltration

Capital One determined that the following commands were then executed in this order to collect data:

1. Obtaining security credentials for an account known as ***-WAF-Role

2. List names of folders or buckets of data in Capital One’s storage space

3. Extract or copy data from those folders or buckets using Sync Command

4. File with name ***cooo.snappy.parquet is the first file copied from all those folders or buckets

5. On April 21, 2019 list bucket command executed from IP address 46.246.35.103 (controlled by IPredator)

According to Capital One, the extracted data consisted primarily of data related to credit card applications, including approximately 120,000 social security numbers and 77,000 bank account numbers.

--

--

Lawrence Amer
Axon Technologies

OSCE,OSCP, CPTE ,Threat Hunting , Security Researcher