API leaks are a serious security issue. In the past year, 41% of firms reported experiencing an API security problem, according to a recent survey. According to a different study, the number of API security incidents rose by 681% in a single year.
API violations can have terrible repercussions. They sometimes reveal millions of private user records. A disastrous loss of confidence between developers and users can be brought on by an API hack. They may have severe negative financial effects.
In order to give you an idea of the API vulnerabilities that are available, we have put together a list of eight of the most notable API breaches from the previous two years.
Attackers found a publicly accessible endpoint with the Optus API that didn’t require authentication. This endpoint exposed extremely private consumer information, including home addresses, phone numbers, dates of birth, and driver’s license numbers. Sequential identities were also employed by the API developers, allowing for simple enumeration by attackers.
Both financially and in terms of the company’s reputation, this API breach had a significant effect. 11.2 million customer records may have been compromised as a result of the data breach. The financial effect of the data leak is estimated to be above $140 million.
Even more severe direct financial losses are caused by some API breaches, and not simply to the company. When the bitcoin trading company suffered a $22 million cryptocurrency hack in the last hours of 2022, this was unquestionably the case.
The owner of 3Commas ultimately admitted the hacker had access to a huge stockpile of API keys after first attributing the API breach to a phishing scheme. Even worse, the hacker anonymously posted 10,000 API keys on Twitter, further escalating the harm and confusion. The 3Commas API hack is currently being looked into by the FBI.
The 3Commas API leak shows several intriguing issues that the API market is now facing. The API keys weren’t truly owned by 3Commas because they were made for integration with outside software. This presents difficulties in resolving the security problems brought on by the API leak. One strategy is to have the affected consumers change their API key, but this adds insult to injury given how upset and insecure they already are. Since some users are going to overlook the memo, this technique is also certain to be lacking.
3. Beetle Eye
Marketing platform Beetle Eye suffered an API breach before the end of 2021, exposing seven million customer records. Hackers gained access to more than GB of data, including more than 6,000 files from ten distinct clients, through an unprotected AWS S3 bucket.
The Marigot Bay Resort, Hilton Sandestin Beach, and Miles Partnership were a few of these customers. Along with more common user information like first name, last name, and address, the exposed data also included a record of sales prospects. The AWS S3 bucket where the data was exposed lacked even a password. Future API developers should make sure that sensitive data is always at least password protected.
Here is an example of an API breach caused by a phishing scheme. Hackers gained access to Dropbox’s internal code repositories on November 1, 2022. Hackers gained access to 130 GibHub repositories, some of which contained API keys and user data.
For their phishing assault, hackers sent an email simulating CircleCI, a popular pipeline for CI/CD. Users were then directed to a fake CirceCI website, where they were asked to provide their GitHub credentials. They’d then be provided with a One-Time Password to enter.
As you can see, this was not a simple email fraud. The hackers certainly knew what they were doing and were technically sophisticated. It’s a sign that we all need to be more vigilant in 2023, as fraudsters get more sophisticated each year. Fortunately, it appears that no user data was accessed during the DropBox API leak. The hackers were limited to obtaining code repositories from GitHub, which is bad news for them but good news for DropBox users.
Twitter experienced one of the biggest API breaches of the past two years. In December 2021,, hackers exploited a vulnerability in the Twitter API to access over 5.4 million Twitter users. The vulnerability allowed hackers to submit email addresses or phone numbers to the Twitter API to retrieve the associated Twitter account.
The Twitter API breach could’ve been worse, as it only exposed users’ names, phone numbers, and email addresses. Hackers could use this user data for nefarious purposes if they get creative, though. It also greatly affected users’ trust and confidence in the social media network, which was already reeling.
Another AWS vulnerability has resulted in an API leak. FlexBooker revealed an API compromise in December 2021, exposing 3.7 million user records.
Worse, a portion of their system’s data storage was also downloaded. This not only resulted in the compromise of critical user data but also caused downtime. The social media scheduling company was able to restore service in roughly 12 hours, but it cost them their reputation as well as consumer trust. It’s just another illustration of how much harm an API breach can do to a business in a variety of ways.
7. Texas Department of Insurance
API assaults can even compromise official entities. When the Texas Department of Insurance was hacked in January 2022, it became out that they had been publicly exposed for years. Due to a software fault, the endpoint that exposed the susceptible data, which contained Social Security numbers, residences, dates of birth, phone numbers, and information regarding workers’ injuries, was accessible to the public from March 2019 until January 2022.
The API hack in January 2022 compromised 1.8 million records of Texans who had filed insurance claims. Fortunately, TDI says that none of the disclosed data has been exploited to date, but it remains a huge violation of trust and a blow to user faith in government entities.
Zendesk, a well-known help desk ticketing service, had a SQL injection vulnerable GraphQL endpoint. This issue was exploited in order to access sensitive user information. The situation was immediately resolved thanks to timely patching, which helped keep the damage to a minimum. While the flaw was active, attackers had access to customer interactions, email addresses, ticket numbers, and comments.
This issue was linked to a GraphQL API that was capable of sending email addresses, conversations, and ticket numbers. A second flaw allowed users to query the API without first checking that they had the appropriate credentials. The most essential thing to remember from the Zendesk API compromise is to protect your GraphQL APIs from SQL injections. This is rather straightforward to accomplish with firewalls or sufficient authorization.
API breaches have affected tens of millions of users in just the last two years. And many of these incidents could have been avoided.
Remember to keep your AWS buckets safe in the future. Leave important user data vulnerable on unsecured endpoints. Make sure your GraphQL endpoints are secure, even if it’s just via a firewall. Be wary of phishing scams. Follow these rules and learn from previous years’ mistakes, and you’ll be well on your way to being API-safe.