In various online platforms, authorities say, the suspect accused of hacking Capital One boasted about what she had done: penetrated a vulnerability in the financial institution's database, compromising millions of customers.
Her gloating continued even after those she was communicating with warned that what she was doing was "sketchy," telling her, "don't go to jail plz," screenshots in a federal criminal complaint filed Monday show.
Ultimately, it was that online trail of brags — plus the occasional mention of cats — that authorities say led them to Paige A. Thompson, a former software engineer from Seattle arrested Monday in connection with the hack, one of the biggest bank data breaches in history.
Thompson, 33, was arrested for allegedly hacking into a server rented by Capital One and obtaining data for more than 100 million people. It was not clear if any of the information was passed to third-parties, something authorities are looking into as part of their investigation. She was charged with one count of computer fraud and abuse and faces up to five years in prison and a $250,000 fine.
At least once since March, Thompson allegedly got access to the data through a misconfigured security feature and then posted it to GitHub, a platform typically used for software-development projects, the 12-page criminal complaint says.
In the complaint, FBI special agent Joel Martini detailed how the boasts and other online clues, which appeared on GitHub, Twitter, the social network Meetup and the messaging platform Slack, quickly led him to Thompson, who once worked for Amazon Web Services.
The FBI was first alerted to the breach when an unidentified individual sent a note to Capital One's security hotline email address, informing the company that "there appears to be some leaked" data on GitHub. The web address for the GitHub page included Thompson's full name, including her middle name, Martini wrote. Also on the GitHub page was Thompson's resume, with her home address.
Attached to the email from the tipster was a direct message from a Twitter account by the username "erratic" who wrote to the tipster on June 18: "Ive basically strapped myself with a bomb vest, f-----g dropping capitol ones dox and admitting it," with "dox" referring to publishing private identifying information online. "I wanna distribute those buckets i think first."
"Erratic" appeared to have been Thompson's username across multiple platforms. On Meetup, Martini found a group dedicated to chatting about hacking that listed "erratic" as the organizer. The group included an invitation for a Slack channel in which a user, under the names "erratic" and Thompson's full name, appeared to boast about intrusions they had committed.
"Sketchy s--t," someone else in the Slack channel, whose username was redacted in the criminal complaint, replied on June 27. "Don't go to jail plz."
Recent tweets from the "erratic" Twitter account include some retweets of various technology-related accounts. They also mention having to put a beloved pet to sleep: "I MISS MY CAT!!!! :((" said one on July 25. On July 23, one read: "Millie passed away about 3:15. Was the most painful thing." Another tweet later in the day read, "She was [a] sweet and loving cat."
Meanwhile, in the Slack channel where the user by Thompson's name and "erratic" was posting, there were also discussions about a pet. Sometime around July 19, the user with Thompson's name included an estimate from a veterinarian from the month prior that listed the same home address as Thompson's resume.
For Martini, this was confirmation that Thompson was the person posting under the two usernames, especially after reviewing photos posted on her Twitter that appeared to depict her as the same person shown in photos in the Slack channel.
Authorities searched Thompson's home Monday and seized multiple digital devices, which agents found included files with references to Capital One on them. Thompson was appointed a public defender, who did not immediately return a request for comment.
Capital One said in a statement that it would provide free credit monitoring and identity protection to everyone affected.
“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” Capital One Chairman and CEO Richard D. Fairbank said. “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”
Andrew Blankstein is an investigative reporter for NBC News. He covers the Western United States, specializing in crime, courts and homeland security.