Capital one hacked - Super hacker named 4chan?

Capital One was hacked 100 million user effected
https://www.stltoday.com/news/natio...d043fb33b5.html#tracking-source=home-breaking

SEATTLE (AP) — A hacker gained access to personal information from more than 100 million Capitol One credit applications, the bank said Monday as federal authorities arrested a suspect in the case.
Paige A. Thompson — who also goes by the handle "erratic" — was charged with a single count of computer fraud and abuse in U.S. District Court in Seattle. Thompson made an initial appearance in court and was ordered to remain in custody pending a detention hearing Thursday.
The hacker got information including credit scores and balances plus the Social Security numbers of about 140,000 customers, the bank said. It will offer free credit monitoring services to those affected.
The FBI raided Thompson's residence Monday and seized digital devices. An initial search turned up files that referenced Capital One and "other entities that may have been targets of attempted or actual network intrusions."
A public defender appointed to represent Thompson did not immediately return an email seeking comment.
The hacker got information including credit scores and balances plus the Social Security numbers of about 140,000 customers, the bank said. It will offer free credit monitoring services to those affected.

In this July 16, 2019, photo, a man walks across the street from a Capital One location in San Francisco. Capital One says a hacker got access to the personal information of over 100 million individuals applying for credit. The McLean, Virginia-based bank said Monday, July 29, it found out about the vulnerability in its system July 19 and immediately sought help from law enforcement to catch the perpetrator. (AP Photo/Jeff Chiu)
Capitol One, based in McLean, Virginia, said Monday it found out about the vulnerability in its system July 19 and immediately sought help from law enforcement to catch the perpetrator.
According to the FBI complaint, someone emailed the bank two days before that notifying it that leaked data had appeared on the webhosting site GitHub.
And a month before that, the FBI said, a Twitter user who went by "erratic" sent Capitol One direct messages warning about distributing the bank's data, including names, birthdates and Social Security numbers.
"Ive basically strapped myself with a bomb vest, (expletive) dropping capitol ones dox and admitting it," one said. "I wanna distribute those buckets i think first."
Capital One said it believes it is unlikely that the information was used for fraud, but it will continue to investigate. The data breach affected about 100 million people in the U.S. and 6 million in Canada.

Capital One Financial Corp., the nation's seventh-largest commercial bank with $373.6 billion in assets as of June 30, is the latest U.S. company to suffer a major data breach in recent years.
In 2017, a data breach at Equifax, one of the major credit reporting companies, exposed the Social Security numbers and other sensitive information of roughly half of the U.S. population.
Last week, Equifax agreed to pay at least $700 million to settle lawsuits over the breach in a settlement with federal authorities and states. The agreement includes up to $425 million in monetary relief to consumer

 

[Marissa Moira]

The real fallout from this will be to Amazon. How many corporations do you think are now in a blind panic regarding their AWS assets? The hack was by an Amazon AWS Engineer directed at an AWS client. And just pooking at “Paige” you know anybody sane is going to be questioning Amazons hiring practices regarding people that might gain access to personal or national security data.

oh shit this makes things real interesting.

Amazon has the data of large entities as well as private citizens like google does. If unstable employees weaponize this shit it would be chaos for all involved.

 

[ICametoLurk]

If it's online people can get it.

 

[RodgerDodger]

oh shit this makes things real interesting.

Amazon has the data of large entities as well as private citizens like google does. If unstable employees weaponize this shit it would be chaos for all involved.

It’s just stripped away the biggest benefit to Cloud services instead of maintaining your own data inside your own fortifications. You don’t know who works for the vendor, or who has access to what? Unlike in most other contractor arrangements you have no idea with regards to the Vendors hiring practices and aren’t subjecting any of their personnel to review. You don’t even know who they are or how broad their reach goes. And that’s something everyone has been hand waving away and working on an honor system... until yet another crazy troon steps up to the plate.

 

[Sissy Galvez]

The real fallout from this will be to Amazon. How many corporations do you think are now in a blind panic regarding their AWS assets? The hack was by an Amazon AWS Engineer directed at an AWS client. And just pooking at “Paige” you know anybody sane is going to be questioning Amazons hiring practices regarding people that might gain access to personal or national security data.

Correct me if I’m wrong but the tranny didn’t have access via AWS. He exploited a vulnerability in capitol one’s system because their firewall wasn’t configured correctly.

There’s no blow back on Amazon, only on hiring unstable trannies.

 

[RodgerDodger]

Correct me if I’m wrong but the tranny didn’t have access via AWS. He exploited a vulnerability in capitol one’s system because their firewall wasn’t configured correctly.

There’s no blow back on Amazon, only on hiring unstable trannies.

It’s still going to burn them. The optics of a clearly unstable AWS Engineer breaching an AWS bank client is devastating. And no amount of “but technically...” is gonna make that go away. There is already questions of which other AWS clients he/she/Xir might have breached.,

 

[Alec Benson Leary]

It’s just stripped away the biggest benefit to Cloud services instead of maintaining your own data inside your own fortifications. You don’t know who works for the vendor, or who has access to what? Unlike in most other contractor arrangements you have no idea with regards to the Vendors hiring practices and aren’t subjecting any of their personnel to review. You don’t even know who they are or how broad their reach goes. And that’s something everyone has been hand waving away and working on an honor system... until yet another crazy troon steps up to the plate.

Same exact reason why the dipshits who got their nudes hacked in the fappening are responsible for their own embarrassment. Just because a data company tells you your stuff is safe with them doesn't mean you should just assume it actually is. They want your money, of course they're going to flatter their own abilities when they're selling you this fantasy. The best case scenario is that they'll eventually fuck up from sheer incompetence and/or a skilled infiltrator will gain access through a means they didn't anticipate. That's assuming the company in question doesn't staff itself with megalomaniacal ideologues who see nothing wrong with weaponizing the confidential access their company gives them to punish and destroy customers they don't like because the company wants to win the approval of the silver of society that lives on woke twitter.

 

[Irrelevant]

Same exact reason why the dipshits who got their nudes hacked in the fappening are responsible for their own embarrassment. Just because a data company tells you your stuff is safe with them doesn't mean you should just assume it actually is. They want your money, of course they're going to flatter their own abilities when they're selling you this fantasy. The best case scenario is that they'll eventually fuck up from sheer incompetence and/or a skilled infiltrator will gain access through a means they didn't anticipate. That's assuming the company in question doesn't staff itself with megalomaniacal ideologues who see nothing wrong with weaponizing the confidential access their company gives them to punish and destroy customers they don't like because the company wants to win the approval of the silver of society that lives on woke twitter.

The iCloud hack wasn't a hack. All the celebrities were idiots who got phished and gave away their iCloud logins. Once you have that you can download iPhone backups and have access to the contents of their phone including photos, text messages, contacts, etc. It was an open secret on imageboards for 1-2 years before the fappening.

As for the AWS exploit people seem to be assuming SSRF. Basically somewhere on Capital One's website accepted URLs and returned the contents. Paige used that to access internal URLs and list the available IAM roles and found one with too many permissions. Here's a demo of the same exploit on a random website from 2017: https://blog.christophetd.fr/abusing-aws-metadata-service-using-ssrf-vulnerabilities/

TechCrunch has this screenshot which lists the other sites hacked:

According to TechCrunch everyone else is denying that any private data was stolen. Probably because they correctly applied permissions to their IAM roles and so the damage was contained.

I would guess all these companies use the same software for something. Probably meant to be on "hidden" domains but was indexed by Google and once you know one exploitable page you can search for others on Google. This would explain why shitty random sites are mixed in with big ones.

"Ohio gov crash" seems specific. When you Google for that the top result is: https://publicsafety.ohio.gov/wps/portal/gov/odps/what-we-do/crash-reports/ The whole site is down right now but it was probably the report generation software that was exploitable. Most of these hacked sites seem to be related to "big data" in some way and probably generate graphs to gawk at.

What you'd have to do is find the common software on all these sites and then check exploit DBs or security updates to confirm. Problem is they were probably all on "hidden" sites except the ohio.gov one so we'd have to wait for that to come back up (assuming it returns with the same software).

On the other hand maybe Paige did find 10+ different exploits in different software but you'd have to be lucky to achieve that in short time. Only paid professionals and kids have the time to find that many.

 

[Spasticus Autisticus]

Accused Capital One hacker denied release from jail

A federal judge ruled Friday that the Seattle hacker charged in the massive Capital One data breach will remain in a men’s federal detention center.

mynorthwest.com

A federal judge ruled Friday that the Seattle hacker charged in the massive Capital One data breach will remain in a men’s federal detention center, calling the transgender woman both a physical and financial danger.

U.S. Magistrate Judge Michelle Peterson said prosecutors proved Paige Thompson is a serious flight risk and would be a danger to the community if she’s released.


Thompson, a former Amazon employee, was arrested last month for allegedly stealing the personal information of more than 100 million Capital One customers, and hacking dozens of other companies.

“You are highly talented and have the means to create additional havoc in our banking system,” Judge Peterson said.

Prosecutors said Thompson should be detained for several reasons, including her lack of ties to the community, residential instability, and unemployment. All of those factors, prosecutors said, make Thompson a risk of flight. They also laid out her erratic behavior in recent years, including threats to shoot up a California social media company and threatening to commit “suicide by cop.”

“The record in this case shows Ms. Thompson is a danger,” said assistant U.S. attorney Andrew Friedman.

Thompson’s lawyers argued she should be released from jail in part because she’s being held with men.


“She’s a greater risk inside as opposed to outside,” said Mohammad Ali Hamoudi, arguing Thompson should be placed in a halfway house instead of a men’s prison. “The federal detention center is not equipped to treat gender dysphoria.”

Thompson is currently being held at the SeaTac Federal Detention Center in the male wing because the Bureau of Prison houses inmates based on their “biological sex.” Prosecutors said the bureau is used to dealing with transgender offenders and that Thompson is receiving all hormone medication. Friedman told the judge the prison’s psychologists report Thompson “generally good and she feels safe.”

If convicted, prosecutors say Thompson could face more than 10 years in prison.

Upon news of the judge’s decision Friday, a Capital One spokesperson released the following statement:

Capital One appreciates the diligent and thorough work of the FBI and U.S. Attorney’s Office in this investigation, and their efforts to keep the community safe. We have seen no evidence that our customers’ data was used for fraud or disseminated, and the government’s statements are consistent with that. We continue to investigate this matter and will be as supportive as possible to federal authorities in their investigation and ongoing court case.

Suddenly gender dysphoria is a real thing once you're a tranny facing going to men's prison for at least a decade.