On March 22-23, 2019, Paige Thompson (alias ’erratic’), a former AWS software engineer, exploited a misconfigured AWS Web Application Firewall (WAF) running on Capital One’s EC2 infrastructure. The misconfiguration allowed SSRF, which Thompson used to make requests from the Capital One server to the AWS EC2 Instance Metadata Service (IMDSv1) at 169.254.169.254. IMDSv1 returns temporary IAM credentials to anyone who can reach it, including via SSRF — a fundamental design flaw that AWS later addressed with IMDSv2. Using the stolen IAM role credentials, Thompson listed and accessed over 700 S3 buckets containing Capital One credit card application data. The breach exposed approximately 106 million credit card applications with: names, addresses, zip codes, phone numbers, email addresses, dates of birth, self-reported income, credit scores, credit limits, payment history, and approximately 140,000 Social Security numbers and 80,000 bank account numbers. Thompson posted the stolen data publicly in a GitHub repository and boasted about it in a Slack channel, which led to her arrest. Capital One paid an $80 million OCC fine and a $190 million class action settlement. The case is a landmark in cloud security for demonstrating the SSRF-to-IMDSv1 attack chain and drove AWS to make IMDSv2 the default, mandate its use, and ultimately deprecate IMDSv1.