Capital One hacker exploits a common Amazon cloud vulnerability to access 106 million accounts


The hacker who stole more than 106 million records from Capital One this past week was able to do so because of “a specific configuration vulnerability," according to the company, long known for having a strong security team.

A Wall Street Journal analysis of records left behind by the alleged hacker, Paige A. Thompson, a former Amazon cloud-computing employee, imply that Thompson exploited a security hole that professionals have been aware of for years.

Thompson hit the core of Amazon's cloud technology, accessing the company's metadata service. This enabled her to access data and credentials responsible for managing a vast number of critical cloud servers. After testing a number of computers and networks for security gaps, Thompson honed in on Capital One's computers, which she determined were misconfigured.

Per the WSJ, even as she was downloading the data from Capital One's computers, Thompson was posting direct messages about major security issues on public message boards, "Dude so many people are doing it wrong." The massive Capital One breach has led many security professionals to criticize Amazon's practices, with many claiming that the company doesn't do enough to alert its customers of misconfigured data that is ripe for hacking.

Per the WSJ, "The Capital One data breach isn’t the first time data stored in the cloud has been stolen. But the fact that the fifth-largest U.S. credit-card issuer has become a victim is reviving concerns about cloud computing." The breach has undoubtedly caught the attention of the Federal Reserve, which has been deeply studying the use of the cloud for storage of critical financial data.


Trending Stories

Get Your Crypto
Daily Brief

Delivered daily, straight to your inbox.

Investing giant Pimco is considering trading cryptocurrencies

Pimco, a $2 trillion investment firm, could potentially begin trading spot cryptocurrencies, the firm’s chief investment officer Daniel Ivascyn confirmed to CNBC.  The firm, which has engaged with the market via crypto-linked securities, is now looking at “trading certain cryptocurrencies as part of our trend-following strategies or quant-oriented strategies, then doing more work on the […]
Read Full Story
Oct 20, 2021, 6:59PM UTC

Here's how one of NYSE's largest market makers is breaking into DeFi

On this episode of The Scoop, founder Ari Rubenstein and founder & CEO Ryan Sheftel joined host Frank Chaparro to discuss the launch of their new crypto firm, called Radkl. Radkl, which was born out of trading firm and New York Stock Exchange market maker GTS, is a new digital asset trading business. GTS currently […]
Read Full Story
Oct 20, 2021, 2:23PM UTC