API Security Breach: apisec Exposes Customer Data

APIsec Database Exposure: Customer Data at Risk

APIsec, a company specializing in API testing, recently experienced a security incident involving an exposed internal database. This database, containing customer data, was accessible via the internet for several days without password protection.

Details of the Data Breach

The compromised database contained records extending back to 2018. It included the names and email addresses of employees and users associated with APIsec’s clientele. Furthermore, details concerning the security status of APIsec’s corporate customers were also present within the exposed data.

According to UpGuard, the security research firm that initially discovered the vulnerability, much of the information originated from APIsec’s routine monitoring of customer APIs for potential security flaws.

UpGuard alerted APIsec to the issue on March 5th, and the database was subsequently secured.

The Importance of API Security

APIsec positions itself as a provider of API security testing services, catering to large organizations, including Fortune 500 companies. APIs (Application Programming Interfaces) are essential for enabling communication between different systems on the internet.

For example, APIs facilitate interactions between a company’s internal systems and users accessing its applications and websites. However, vulnerabilities in APIs can be exploited by malicious actors to extract sensitive data.

Exposed Customer Security Information

UpGuard’s published report, shared with TechCrunch before public release, revealed that the exposed data encompassed information about the attack surfaces of APIsec’s customers. This included whether multi-factor authentication was implemented for specific customer accounts.

UpGuard emphasized that this information could be valuable intelligence for potential attackers.

Initial Response and Subsequent Clarification

Initially, APIsec founder Faizel Lakhani characterized the exposed data as “test data” used for product testing and debugging. He asserted that it was not the company’s production database and contained no actual customer data.

Lakhani attributed the exposure to a “human mistake,” clarifying it was not the result of a malicious attack. He stated that public access was quickly terminated and the data was unusable.

Contradictory Evidence and Further Investigation

However, UpGuard presented evidence indicating the presence of information pertaining to real-world APIsec customers, including the results of security scans performed on their API endpoints.

The database also contained personally identifiable information (PII) of customer employees and users, such as names and email addresses.

Following the presentation of this evidence by TechCrunch, Lakhani acknowledged the discrepancy. He stated the company conducted an initial investigation on the day of UpGuard’s report and a subsequent reinvestigation this week.

Customer Notification and Legal Obligations

Lakhani confirmed that customers whose personal information was exposed had been notified. However, he declined to provide TechCrunch with a copy of the data breach notification sent to affected customers.

He also refrained from commenting on whether the company intends to notify state attorneys general, as required by data breach notification laws.

Additional Credentials Found

UpGuard also discovered a set of private keys for AWS, along with credentials for Slack and GitHub accounts within the dataset. Researchers were unable to determine if these credentials were still active, recognizing that unauthorized use would be illegal.

APIsec explained that the AWS keys belonged to a former employee who left the company two years prior and that the keys had been deactivated upon their departure. The reason for their continued presence in the database remains unclear.