A software engineer accused of hacking into Capital One and stealing the data of more than 100 million people tweeted about euthanizing her cat, Millie, and seeking mental help, authorities said.
The FBI arrested 33-year-old Paige Thompson of Seattle on Monday, saying she is responsible for the Capital One digital break-in.
Thompson faces federal charges of computer fraud and "abuse for an intrusion on the stored data." The FBI said it tracked down her with help from Capital One, which received a tip about the stolen data in an email. Federal agents were able to link her identity to social media and user accounts, known online by the alias "erratic."
She is believed to have acted alone, investigators said. In other major hacks, Equifax and Marriott were attacked from the outside by criminals with a nation-state connection.
Thompson worked in the Seattle area as a technology company software engineer, the Justice Department said. It said she intruded "into servers rented or contracted" by Capital One, as well as "from a company that provides cloud computing services."
The DOJ did not mention the name of the company, but it said Thompson worked at a cloud software company from 2015 to 2016. An Amazon spokesperson confirmed that Thompson worked for Amazon Web Services, but left in 2016.
"AWS was not compromised in any way and functioned as designed," Amazon said in a statement to CNBC. "The perpetrator gained access through a misconfiguration of the web application and not the underlying cloud-based infrastructure. ... This type of vulnerability is not specific to the cloud."
Capital One gets a tip
The financial institution received an anonymous tip on July 17 from a person who said in an email that "there appears to be some leaked s3 data of yours in someone's github ... let me know if you want help tracking them down," the a screenshot showed.
The DOJ said the GitHub file "contained the IP address for a specific server" of Capital One, which had "a firewall misconfiguration." That "permitted commands to reach and be executed by that service, which enabled access to folders or buckets of data in Capital One's storage space the Cloud Computing Company," investigators said.
Thompson allegedly took data that was primarily "related to credit card applications," the complaint said, including about 120,000 Social Security numbers and about 77,000 bank account numbers.
FBI tracks Thompson through social media accounts
According to the DOJ complaint, the FBI found Thompson's account on Meetup, the online app to connect people for activities and events. The FBI found a group organized by "erratic," which it said was her alias.
The Meetup group had an invitation to a Slack channel and the FBI reviewed postings on that channel. A Slack user named "erratic" posted a list of files, the DOJ said, which the user "claimed to possess." The FBI believes the files match to the data stolen on April 21.
Additionally, the DOJ complaint included an FBI screenshot of the Slack channel, in which another user says that this is "sketchy s---" and "don't go to jail plz."
"I wanna get it off my service that why Im archiving all of it," the user "erratic" said. "Its all encrypted."
The FBI also alleges that Thompson talked in the Slack channel "about one of her pets." A post showed "an estimate from a veterinarian dated June 10, 2019, provided to 'Paige Thompson' at the same address listed on the 'Paige Thompson' resume described."
Authorities said Thompson also used the "erratic" alias for a Twitter account. With nearly 900 posts, and some as recent as the day of her arrest, Thompson tweeted about her work, programming and cats. But in a series of tweets on July 5, she appeared to intend to check herself into a psychiatric institution. Thompson began the tweets by saying "tomorrow I'm going to call in ahead and schedule a euthanasia for my cat." It's unclear what happened to the cat, named Millie.
"After this is over I'm going to go check into the mental hospital for an indefinite amount of time. I have a whole list of things that will ensure my involuntary confinement from the world. The kind that they can't ignore or brush off onto the crisis clinic. I'm never coming back," one tweet said.
In a post directed at a Twitter user, Thompson asked "would you be interested in giving a statement regarding my mental health so that when I go to commit myself after I have my cat put to sleep I can just f------ stay somewhere and be in peace indefinitely."
"All you gotta do is just tell them how f----- up I am I'll give you info," Thompson said in a tweet.
Capital One also shared with the FBI a screenshot of Thompson's apparent Twitter account messaging with the individual who sent the company the tip about the stolen data. The Twitter user "ERRATIC" messaged that "Ive basically strapped myself with a bomb vest, f------ dropping capital ones box and admitting it," the DOJ complaint showed.
The FBI said in the complaint that this indicates Thompson "intended to disseminate data stolen from victim entities, starting with Capital One."
If convicted, Thompson could be sentenced to five years in prison and fined $250,000.
Capital One put out guidelines for people to determine whether their records were among those hacked.