Capital One 'hacker' hit with fresh charges: She burgled 30 other AWS-hosted orgs, Feds claim

The ex-Amazon engineer who allegedly stole 100 million Capital One credit applicants' personal details from AWS cloud buckets has been formally accused of swiping data from 30 other organizations.

Paige Thompson, 33, was collared last month after cops, acting on a tip off, raided her Seattle home and allegedly discovered a computer containing vast quantities of records purloined from Capital One's AWS-hosted systems as well as files from 30 other organizations.

An indictment [PDF], filed on Wednesday in a US federal district court, noted that investigators have identified most of the companies and institutions allegedly hit by Thompson, and lists three as “a state agency outside the State of Washington; a telecommunications conglomerate outside the United States; and a public research university outside the State of Washington.”

According to prosecutors, Thompson wrote software that scanned for customer accounts hosted by a “cloud computing company,” which is believed to be her former employer, AWS or Amazon Web Services. It is claimed she specifically looked for accounts that suffered a common security hole – specifically, a particular web application firewall misconfiguration – and exploited this weakness to hack into the AWS accounts of some 30 organizations, and siphon their data to her personal server. She also used the hacked cloud-hosted systems to mine cryptocurrency for herself, it is alleged.

“The object of the scheme was to exploit the fact that certain customers of the cloud computing company had misconfigured web application firewalls on the servers that they rented or contracted from the cloud computing company,” the indictment reads.

It goes on: “The object was to use that misconfiguration in order to obtain credentials for accounts of those customers that had permission to view and copy data stored by the customers on their cloud computing company servers. The object then was to use those stolen credentials in order to access and copy other data stored by the customers.”

Boasting blowback

Limited technical detail is provided, and the indictment confirms what we already knew: that she allegedly used a combination of Tor and VPN provider IPredator to protect her anonymity while swiping the data, though, according to the Feds, she accessed things like her public GitHub account using these tools as well as the AWS servers, allowing g-men to trace the activity back to her. For one thing, her GitHub username was her full real name.

Jeff Bezos feels a tap on the shoulder. Ahem, Mr Amazon, care to explain how Capital One's AWS S3 buckets got hacked?

READ MORE

She also allegedly bragged about her hack to friends on Slack, and then later in a GitHub Gist post that contained detailed information about Capital One's systems including access commands; her boasts quickly became a focus of the Feds' attention, prosecutors say.

According to the authorities, a whistleblower spotted her Gist post and alerted Capital One via email. The credit giant found the boasts were real, and its customers’ details were accessible, patched the hole, and called the FBI. Ten days after it was first informed by Capital One, the FBI and police stormed Thompson's house near Seattle airport in a military-style raid, and charged her with breaking America's Computer Fraud and Abuse Act.

Now, the techie faces an additional computer abuse charge over the 30 other AWS-hosted organizations she allegedly hacked and stole information from, and one count of wire fraud due to “transmitted by means of wire communication in interstate commerce, from her computer in Seattle to a computer outside the State of Washington, writings, signs, signals, pictures, and sounds,” it claimed.

If found guilty, Thompson faces up to 25 years behind bars. She was refused bail, and is next due in court in Seattle for arraignment on September 5. ®