Anatomy of a Breach

Anatomy of a Breach: Capital One — 106 Million Records via a Misconfigured Cloud WAF

> series: anatomy_of_a_breach —— part: 127 —— target: capital_one —— records: 106,000,000 —— method: ssrf_via_misconfigured_waf<span class="cursor-blink">_</span>_

Hedgehog Security 31 July 2019 14 min read
data-breach capital-one 106-million aws cloud-misconfiguration ssrf waf series
Breach #127

106 million records. A misconfigured WAF. A cloud-native attack that defined the era.

On 29 July 2019, Capital One disclosed that a security breach had exposed the personal data of approximately 106 million credit card customers and applicants in the United States and Canada. The stolen data included names, addresses, phone numbers, dates of birth, self-reported income, credit scores, and — for approximately 140,000 customers — Social Security numbers, and for 80,000 — bank account numbers.

The attacker was Paige Thompson, a former AWS employee who understood the cloud infrastructure that Capital One ran on. Thompson exploited a Server Side Request Forgery (SSRF) vulnerability in Capital One's Web Application Firewall (WAF) to access the AWS metadata service, obtain temporary security credentials, and use those credentials to access S3 buckets containing customer data. The attack was a textbook cloud-native exploitation chain — and it established cloud misconfiguration as the dominant breach vector for organisations that had migrated to the cloud.

The Cloud Attack Chain
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

SSRF → metadata → credentials → 106 million records.

Capital One Breach — Cloud-Native Kill Chain
── Initial Access ──────────────────────────────────────────
SSRF vulnerability in misconfigured WAF
Attacker sends crafted request through WAF to internal services

── Credential Theft ────────────────────────────────────────
SSRF used to access AWS metadata service (169.254.169.254)
Temporary IAM credentials obtained from instance metadata

── Data Access ─────────────────────────────────────────────
Stolen IAM credentials used to list and access S3 buckets
106 million customer records exfiltrated from S3

── Detection ──────────────────────────────────────────────
Attacker bragged about the hack on social media and Slack
Tip-off received, FBI arrested Thompson within 10 days
Cloud Security

SSRF, metadata services, and IAM — the new attack surface.

Cloud-Native Vulnerabilities
The Capital One attack was a cloud-native exploit chain: SSRF → metadata service → IAM credentials → S3 access. This is not a traditional network attack — it exploits the design patterns of cloud architecture itself. Our <a href="/penetration-testing/cloud-configuration-review">cloud configuration reviews</a> specifically assess SSRF protection, metadata service access controls, IAM privilege levels, and S3 bucket permissions.
Metadata Service Exploitation
AWS's instance metadata service (IMDS) provides temporary credentials to EC2 instances. If an SSRF vulnerability allows an attacker to reach the metadata endpoint, they can obtain credentials with whatever permissions the instance role has been granted. AWS subsequently released IMDSv2 to mitigate this attack. Our <a href="/penetration-testing/cloud-configuration-review">cloud reviews</a> verify IMDSv2 enforcement.
Over-Privileged IAM Roles
The WAF's IAM role had permissions to access S3 buckets containing 106 million customer records. The principle of least privilege — limiting IAM roles to the minimum permissions required — was not applied. Our <a href="/penetration-testing/cloud-configuration-review">cloud configuration reviews</a> assess IAM privilege levels.
WAF Misconfiguration as Entry Point
The Web Application Firewall — a security tool — was the entry point for the attack due to its misconfiguration. Like <a href="/blog/anatomy-of-a-breach-cloudbleed">Cloudbleed</a> (2017) and the <a href="/blog/anatomy-of-a-breach-rsa-securid">RSA breach</a> (2011), the security tool became the vulnerability. Our <a href="/penetration-testing/infrastructure">infrastructure testing</a> assesses security tool configurations.
Lessons

Cloud migration does not eliminate risk — it transforms it.

The Capital One breach established that cloud migration — while offering many security benefits — introduces new vulnerability classes that require cloud-specific security expertise. SSRF, metadata exploitation, IAM privilege escalation, and S3 bucket misconfiguration are the cloud equivalents of the SQL injection, default credentials, and network segmentation failures that have appeared throughout this series. The attack surface has changed; the need for testing has not.

Our cloud configuration reviews assess AWS, Azure, and GCP security posture. Web application testing includes SSRF assessment. Cyber Essentials addresses cloud service security. SOC in a Box monitors cloud environments for anomalous API calls and data access patterns. And UK Cyber Defence provides incident response for cloud-native breaches.

Cloud Security

Capital One lost 106 million records through a cloud misconfiguration. Has your cloud been tested?

Our <a href="/penetration-testing/cloud-configuration-review">cloud configuration reviews</a> assess SSRF, metadata, IAM, and storage security. <a href="/cyber-essentials">Cyber Essentials</a> addresses cloud service security. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors cloud environments.

Commission a Cloud Security Review Next: Imperva
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 December 2019

Anatomy of a Breach: 2019 Year in Review — Ransomware Industrialised, Credentials Commoditised, and Travelex Hit on New Year's Eve

Breach #132 and the 2019 finale. The year 2.2 billion credentials were dumped in Collection #1-5, Norsk Hydro showed the world how to handle ransomware with dignity, Capital One lost 106 million records through a cloud misconfiguration, WhatsApp proved that zero-click phone exploitation is real, Baltimore proved EternalBlue is still unpatched two years on, and on New Year's Eve — literally the last hours of the decade — REvil ransomware struck Travelex, the UK foreign exchange company, beginning a crisis that would disrupt UK banking services into 2020.

data-breach year-in-review
14 min read
Anatomy of a Breach 31 August 2019

Anatomy of a Breach: Imperva — When the Security Vendor Protecting Your Data Was Breached

Breach #128. In August 2019, cybersecurity firm Imperva (formerly Incapsula) disclosed that a data breach had exposed customer data for its Cloud WAF product — including email addresses, hashed and salted passwords, API keys, and TLS certificates. The breach originated from a cloud migration in which an internal AWS API key was exposed. Imperva — a company whose entire business is protecting other organisations from data breaches — had been breached through the same cloud misconfiguration vulnerabilities its products were designed to prevent.

data-breach imperva
12 min read
Anatomy of a Breach 30 April 2024

Anatomy of a Breach: AT&T — 73 Million Customer Records from a 2019 Breach Surface on the Dark Web

Breach #184. In March 2024, AT&T confirmed that a dataset containing the personal information of approximately 73 million current and former customers had been published on the dark web. The data — including names, addresses, phone numbers, dates of birth, Social Security numbers, and encrypted AT&T account passcodes (which security researchers quickly cracked) — appeared to originate from a breach dating to approximately 2019. AT&T had previously denied the data was from its systems. The breach demonstrated that stolen data surfaces years later, and that denial does not make a breach disappear.

data-breach att
12 min read
All Posts Get in Touch