Back to Blog

Capital One: How a Cloud Misconfiguration Exposed 106 Million Records

LeakedSource Team
|

When the Cloud Goes Wrong

In July 2019, Capital One disclosed one of the largest breaches ever to hit the financial sector. A single individual exploited a misconfigured firewall in Capital One's Amazon Web Services (AWS) infrastructure to steal data on 106 million people.

The attacker, a former AWS employee, used her knowledge of cloud infrastructure to exploit a Server Side Request Forgery (SSRF) vulnerability that gave her access to Capital One's stored data.

What Was Compromised

The breach exposed data from credit card applications submitted between 2005 and 2019:

  • Names, addresses, phone numbers, and email addresses
  • Dates of birth and self-reported income
  • Social Security numbers for approximately 140,000 people
  • Bank account numbers for roughly 80,000 accounts
  • Credit scores, limits, balances, and payment history
  • Transaction data spanning multiple years

For Canadian customers, approximately 1 million Social Insurance Numbers were also exposed.

The Technical Breakdown

The attack exploited three interconnected weaknesses:

  1. A misconfigured Web Application Firewall (WAF) that was too permissive in the permissions it granted
  2. An SSRF vulnerability that allowed the attacker to query AWS metadata services from the WAF
  3. Overly broad IAM role permissions that gave the WAF's role access to S3 buckets containing customer data

The attacker sent crafted requests to the WAF that caused it to query the AWS Instance Metadata Service (IMDS). This returned temporary security credentials, which she then used to list and download data from Capital One's S3 buckets.

What Makes This Breach Instructive

The Capital One breach became a defining case study for cloud security:

  • Shared responsibility model — AWS secures the cloud infrastructure, but customers are responsible for their own configurations. Capital One's misconfiguration was their responsibility.
  • SSRF is a critical threat — AWS later introduced IMDSv2, which requires session tokens for metadata requests, partially mitigating this class of attack.
  • Least privilege matters — the WAF's IAM role had access to far more data than it needed for its function.

The Aftermath

  • $80 million fine from the Office of the Comptroller of the Currency
  • $190 million settlement in a class action lawsuit
  • Criminal charges — the attacker was convicted of wire fraud and computer intrusions

Capital One also invested heavily in improving its cloud security posture, becoming an advocate for cloud-native security tooling.

Protecting Your Financial Data

  • Monitor your credit reports regularly for unauthorized inquiries or new accounts
  • Set up transaction alerts on all bank and credit card accounts
  • Use strong, unique passwords for every financial institution
  • Consider a credit freeze if your Social Security number was exposed

Check your exposure status on LeakedSource and enable monitoring for your email addresses and other identities.

Check Your Breach Exposure

Find out if your email address has been compromised in any known data breaches.

Scan Your Email Now
All Posts