> We believe that a highly sophisticated individual was able to exploit a specific configuration vulnerability in our infrastructure. When this was discovered, we immediately addressed the configuration vulnerability and verified there are no other instances in our environment.
In other words, someone didn't put a password on their S3 database exposed to the internet...
S3 is not a database, but that's not the point. As explained by Capital One, the attacker gained access through a misconfigured web app. This could have happened on any platform (on-premise or cloud), and the underlying AWS services weren't compromised in any way.
> No bank account numbers or Social Security numbers were compromised, other than:
About 140,000 Social Security numbers of our credit card customers
About 80,000 linked bank account numbers of our secured credit card customers
This kind of double speak should double their fine.
JDEW|6 years ago
In other words, someone didn't put a password on their S3 database exposed to the internet...
julsimon|6 years ago
gm_fan_boi|6 years ago
dharmab|6 years ago
wilde|6 years ago
This kind of double speak should double their fine.