The Capital One data breach has been big news and for good reason. The exposure of over 100 million personal data records is a big deal—especially when it’s a bank, and especially when it’s a bank like Capital One that has leaned into the cloud so heavily. It is too easy for the skeptics and naysayers to blame the cloud; which makes it even more critical to truly understand what happened.
With serverless at the top of our mind, we set out to recreate this hack in serverless frameworks. Our head of security research, an ethical hacker, Tal Melamed, managed to successfully recreate the Capital One breach in serverless but took it one step further by demonstrating just how to block it.