The Capital One Hack

07/05/2025

In July 2019, Capital One suffered a major data breach affecting over 100 million individuals, stemming from a misconfigured Web Application Firewall (WAF) in their AWS-hosted infrastructure. The attacker, a former Amazon Web Services (AWS) employee, exploited a well-known vulnerability called Server Side Request Forgery (SSRF). This technique allowed her to trick the firewall into relaying requests to the AWS metadata service, a critical resource that provides temporary credentials to cloud instances. Due to overly permissive access policies on the misconfigured WAF, these temporary credentials granted broad permissions, including the ability to list and read files across various data storage buckets, ultimately enabling the data exfiltration.

The breach highlights multiple systemic issues in cloud security practices. SSRF, while not a novel attack, remains hard to detect and is often not covered by default detection rules in common WAF tools, such as the open-source ModSecurity used by Capital One. The incident also exposed the challenges many organizations face when transitioning from traditional infrastructure to cloud environments, where nuanced understanding of cloud-specific tools like AWS IAM and metadata services is essential. Though AWS defended the robustness of its infrastructure, it acknowledged that proper configuration and awareness are crucial, pointing to tools like Access Advisor, GuardDuty, and Macie as optional mitigations that could have helped reduce the breach impact.

Broader Implications and Lessons

The Capital One breach exposed the critical risks of cloud misconfigurations and underlined how serious SSRF vulnerabilities can be in cloud environments. It highlighted the need for deeper technical expertise in managing cloud infrastructure securely. While AWS stressed customer responsibility, the incident sparked calls for safer platform defaults. Ultimately, it served as a cautionary tale: moving to the cloud without proper understanding and controls can lead to severe data exposure.

We made a challenge inspired by this incident:

Capital0

Think you can fix it?

It is available in:

Read more about the incident: What We Can Learn from the Capital One Hack – Krebs on Security

Play AppSec WarGames

Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.

For Companies Play Now

Got a comment?

Join our secure coding and AppSec community. A discussion board to share and discuss all aspects of secure programming, AppSec, DevSecOps, fuzzing, cloudsec, AIsec code review, and more.