According to experts, APIsec, a business specialising in proactive, automated, and continuous API security testing, may have unintentionally posted private client information online.
UpGuard, a cybersecurity research firm, made the initial discovery, which the company later verified.
According to reports, the data was kept in an unpassword-protected, internet-connected database for “several” days before being locked down as soon as UpGuard alerted APIsec.
Since the business monitors its clients’ APIs for security flaws, the majority of the data is generated by its own products. Some of the data, along with user and customer employee names, email addresses, and API security posture details, dated back to 2018. For a threat actor, this type of information can be very useful because it includes details such as whether or not 2FA was enabled.
According to reports, APIsec initially attempted to minimise the significance of the incident by claiming that the database contained “test data,” that it wasn’t the company’s production database, and that it didn’t contain customer data.
However, its position was altered when evidence to the contrary was presented. It seems that UpGuard discovered proof that the database also contained information from actual corporate clients, such as names, emails, and scan results of its customers’ employees and users, as well as details about the security posture of APIsec’s corporate customers.
“APIsec, which claims to have worked with Fortune 500 companies, bills itself as a company that tests APIs for its various customers. APIs allow two or more things on the internet to communicate with each other, such as a company’s back-end systems with users accessing its app and website. Insecure APIs can be exploited to syphon sensitive data from a company’s systems,” said a TechCrunch report.
UpGuard further stated that the exposed data included information about the attack surfaces of APIsec’s customers, such as details about whether multi-factor authentication was enabled on a customer’s account. UpGuard mentioned that this information could provide useful technical intelligence to a malicious adversary.
Customers whose personal information was discovered in the data were notified after the information was shared with APIsec. Nevertheless, APIsec declined to provide a copy of the breach notification letter or to disclose the number of individuals impacted.
When reached out to APIsec founder Faizel Lakhani, the latter initially downplayed the security lapse, stating that the database contained “test data” that APIsec uses to test and debug its product.
Lakhani added, “The database was not our production database, and no customer data was in the database,” while confirming that the exposure was due to a “human mistake” and not a malicious incident. The APIsec CEO also mentioned that his company quickly closed public access, ensuring the data in the database was no longer accessible.
However, UpGuard stated that it found evidence of information in the database relating to real-world corporate customers of APIsec, including the results of scans from its customers’ API endpoints for security issues, as well as personal information.
Lakhani then backtracked as TechCrunch provided the company with evidence of leaked customer data. In a later email, the founder stated that the company completed an investigation on the day of UpGuard’s report and reexamined the situation. Subsequently, APIsec notified customers whose personal information was in the database that had been publicly accessible.
UpGuard also found a set of private keys for AWS and credentials for a Slack account and GitHub account in the dataset, but the researchers could not determine whether the credentials were active. APIsec claimed that the keys belonged to a former employee who left the company two years ago and was disabled upon their departure. It’s unclear why the AWS keys were left in the database.
Sensitive data leaks continue to be primarily caused by unprotected databases. The fact that cloud hosting operates on a shared responsibility model is often overlooked by businesses that use it to store data about their clients, customers, or employees.