Our research team tracks data breaches around the web, and pays particular attention to API data breaches. We've outlined some of the many API breaches below, including a description and which of OWASP's ten API security principles we think were broken. This is not to call anyone out, but to ensure that security practitioners are aware of the attack vectors and malicious actions targeted at APIs.
For the most part, these API vulnerabilities and misconfigurations were not found by the companies themselves, even when they performed audits internally or via a traditional IT security firm. In many cases, outside security firms or bug bounty hunters found these leaks, which were subsequently fixed before any evidence of malicious activity was found. But it is hard to prove that malicious activity did not happen. The impact of API data breaches is massive today, and will continue to grow in the near future.
As with any data breach, these companies faced lawsuits, reputational damage, and internal HR impact. Remember it is always easier and less expensive to fix your API security than it is your customers’ trust.
If you want to add a known API breach to our tracker, you can send us the information via our 'API Data Breach Tracker Submission Form'. We'll validate and confirm the event before adding to the database.
Submit a BreachWe have compiled a report that incorporates data from this tracker. The State of API Security report provides detailed analyses of the attack vectors used most frequently in the real world.
Get the ReportAPI Political Gaffe
Elections present unique security challenges, as political parties are entrusted with swaths of information on virtually every eligible citizen. In some places, that information is publicly available and easily searchable. In others, such as Israel, it is not.The creator of a voting management app got in hot water in 2020 when they left a particularly vulnerable endpoint exposed. A simple “inspect source code” on the company’s webpage revealed a link where it was possible to access usernames and passwords of the admins, which were stored as text values in the code.
Inhospitable API
A hospitality agency found themselves vulnerable in 2020 when they found their API was granting access to their database of 2,000,000 users without proper authorization. Further, sensitive information was being returned via cURL request. If an attacker had mined the data (an investigation revealed no evidence of this but also could not rule it out), they would have found names, addresses, credit card records, and more potentially compromising information. In the midst of the COVID-19 pandemic, it was an inopportune time for trust in travel agencies and their booking procedures to take a hit.
API Fitness
In general, it may seem mostly harmless if your workout information is revealed. A lot of people like to brag that they work out and if someone else can do it for them, then great. But if you’re a famous person, or perhaps even the sitting President of the United States, it may not be so ideal that someone can track at least part of your schedule.A security researcher found they could do just that by calling the API of an exercise and fitness company. A simple request returned a lot of Personally Identifying Information (PII), even when their profiles were set to private. The company patched this, but only to an extent as the API was made accessible to just subscribers instead of everyone. Finally the root problem was solved but in longer than the 90 days of leeway that security researchers typically give.
Credit where it isn’t due
Last April, a security researcher found a vulnerability in the API of a consumer credit reporting agency that could have compromised the financial well-being of millions. Credit scores are highly confidential and in general should be kept under strict lock and key but in this case the keys were much easier to find than they should have been.The credit agency provided an API to a third-party lender, through which the researcher discovered it was possible to return an individual’s credit score. The API put up authentication roadblocks that were simple to bypass, often requiring just name, address, zip code, and birthdate. If a Facebook user from North Carolina, where voter registration information including name and address are publicly searchable, had used this service their credit information would have been available within seconds.
Farming API Data
The Internet of Things encompasses many more, well, things than one might expect. For example, a tractor used to just be a tractor. But nowadays a new tractor might also be connected to the internet to provide emissions and usage data and maintenance support, a concept that has sparked an amount of controversy and right-to-repair acts.But perhaps it should be worrisome because often in order to have a thing connected to the internet, you need an API. And if you’re not careful, that API can be vulnerable. Indeed a manufacturing company found that out in April of last year when a security researcher was able to call an API repeatedly without authentication to determine if a username was available. Coupled with a lack of rate limits, this enabled the researcher to determine within minutes which companies were using the manufacturer’s products.Step two involved easily bypassing authentication on another endpoint to gather copious metadata on users with just a vehicle identification number. Had the researcher been an attacker, it would not have taken long to use these two datasets to wreak further havoc on an already-strained supply chain.
Crypto Wallet Users Compromised
In many of the above cases, the problem was fixed before any evidence of an attack. But not everyone can be so lucky.In April of 2020, a cryptocurrency wallet service had set up an API for a 3rd-party marketing firm to use. However, according to an audit done by the service, some API keys were not properly hashed, leaving customers’ PII exposed. The audit concluded that almost 10,000 records were breached and stolen as a result. But the story did not stop there, as a database of over 200,000 customers and their emails, phone numbers, and physical addresses was found circulating on hacker sites a few months later. It is speculated that disgruntled former employees were able to steal this list when they didn’t have their authentication credentials revoked. Without proper auditing procedures, it is difficult to determine how exactly the damage was done. What is not difficult to determine is the extent of the damage to the customers and the brand.