Capital One 2019
A former AWS engineer noticed a misconfigured firewall in front of a Capital One S3 bucket and walked out with the data of 106 million credit card applicants.
In July 2019, Capital One disclosed that an outsider had obtained the personal information of approximately one hundred and six million people who had applied for the bank's credit cards — Social Security numbers, addresses, income figures, fragments of credit history.
The misconfigured Web Application Firewall
The path of the intrusion was unusually traceable. A misconfigured ModSecurity WAF in front of a Capital One web application allowed a server-side request forgery: an attacker could persuade the WAF instance to make requests to the AWS instance-metadata service, harvest IAM credentials assigned to the role that WAF instance ran under, and then use those credentials to enumerate and download data from S3 buckets the role could read.
The attacker, identified as Paige Thompson, was a former Amazon Web Services engineer. She had posted about the breach in Slack-style chat servers and a GitHub Gist. A tipster saw the posts and emailed Capital One. The FBI was at her door within days.
A penalty written for the cloud era
Capital One settled with US regulators for $80 million in 2020 and with affected customers for another $190 million in 2022. More consequentially, the case became a fixture in cloud security training. The phrase "IMDSv1 risk" was suddenly intelligible to executives.
What the chronicle remembers
Capital One is the canonical SSRF-into-cloud-metadata case study. AWS shipped IMDSv2 the following year specifically to make this class of attack harder. The lesson — that a single misconfigured perimeter device with an over-privileged IAM role can substitute for an entire intrusion chain — has shaped cloud security guidance ever since.