Busted: Capital One Hacker Got Access To 100M Accounts, Bragged About It Online, Stock Down 7 Percent

Written by Dana Sanchez
Capital One hacker
Paige Thompson in a photo she posted to her Twitter account.

Authorities say software engineer Paige A. Thompson’s online trail of bragging and the occasional mention of her cats helped lead them to her.

Thompson, who once worked for Amazon web services, has been accused in Seattle federal court of hacking Capital One. It’s one of the biggest bank data breaches in history at one of the largest issuers of credit cards in the U.S.

Thompson allegedly got data — mostly related to credit applications — through a “firewall misconfiguration” aka vulnerability, New York Post reported. She was able to execute commands with a server, getting access to data in Capital One’s storage space at a “Cloud Computing Company,” according to the criminal complaint.

The New York Times identified that company as Amazon.

Capital One stock fell about 7 percent on news of the data breach — that’s more than $3 billion worth, Marketwatch reported, “but history shows us that scandals blow over quickly.”

The data breach impacted about 100 million people in the U.S. and 6 million in Canada, Capital One said in a statement Monday. No credit card account numbers or log-in credentials were compromised, but 140,000 Social Security numbers of credit card customers were.

On social media, Thompson boasted about what she had done. The people she was communicating with warned her that what she was doing was “sketchy” and told her, “don’t go to jail plz.” Screenshots of those warnings are now evidence in a federal criminal complaint filed on Monday, NBC News reported.

Thompson, 33, was arrested Monday in connection with hacking into the server rented by Capital One and getting data for more than 100 million people. It’s unclear if any of the information was given to third-parties. She’s been charged with computer fraud and abuse and faces up to five years in prison and a $250,000 fine.

Thompson allegedly posted the data on GitHub, a code-hosting platform usually used by software-developers.

She left boasts and other online clues on GitHub, Twitter, Meetup, and the messaging platform Slack, FBI special agent Joel Martini said in the complaint.

Listen to GHOGH with Jamarlin Martin | Episode 39: Tunde Ogunlana

Jamarlin talks to family wealth advisor Tunde Ogunlana, CEO of Axial Family Advisors, about estate planning and Snoop Dogg’s comment that he doesn’t need a will (“I don’t give a f— when I’m dead. What am I gonna give a f— about?”). They also discuss the growing college debt bubble, whether more free tuition will help solve the problem, and why MBAs are like the bachelor’s degrees of 30 years ago.

An unidentified person sent a note to Capital One’s security hotline email address saying “there appears to be some leaked” data on GitHub. The web address for the GitHub page included Thompson’s name, resume and home address.

Along with the tip, the person attached a direct message from a Twitter account for username “erratic” who wrote to the tipster on June 18: “Ive basically strapped myself with a bomb vest, f—–g dropping capitol ones dox and admitting it.” Dox refers to publishing private identifying information online. “I wanna distribute those buckets i think first.”

Recent tweets from erratic’s Twitter account also mention having to put a beloved cat to sleep. On July 23, one tweet read: “Millie passed away about 3:15. Was the most painful thing.” Another tweet later in the day read, “She was [a] sweet and loving cat.” And on July 25, “I MISS MY CAT!!!! :((”