Here is proof on Web Archive showing the same picture: https://web.archive.org/web/20161126161620/http://blog.capitalone.co.uk . Having full control meant I could have done whatever I wanted, install my own SSL certificate, pretend to be Capital One and steal credentials and much more.

After I reported it, the Capital One team asked questions as to how I did it and why it happened. I walked them through the process and told them explicitly that I have no malicious intentions, my goal is to help them etc. Immediately after, a member of their team went on the phone with their security department and higher management (that’s what I was told). After it was reported their team had promised me a number of things such as an internship, a possible bounty, and other things. I was told someone would get in touch with me between Monday to Friday. Unfortunately, no one got in touch with me….

I did make multiple attempts to contact Capital One about this issue, and they said they would respond in a specified timeframe. Unfortunately, that timeframe passed and I tried calling and sent an email to no avail. Thus, I have decided to go public in the hopes that more attention will be drawn to this issue and wider problems surrounding cybersecurity and human ethics.

I am disappointed that a company of this size has not kept its word.

More proof: