APIsec, a firm specializing in API testing, has confirmed that it secured an internal database containing customer data that was unintentionally exposed to the internet without a password for several days. The database, which was accessed without authorization, included records dating back to 2018. These records contained names and email addresses of the company’s customers’ employees and users, along with information about the security arrangements of APIsec’s corporate clients.
According to UpGuard, the security research firm that discovered the exposure, much of the data had been generated through APIsec’s monitoring of its customers’ APIs for security vulnerabilities. UpGuard identified the exposed data on March 5 and promptly informed APIsec, which then secured the database.
APIsec, known for collaborating with Fortune 500 companies, focuses on testing APIs to ensure secure communication between different systems on the internet, such as a company’s backend with users accessing its app or website. Vulnerable APIs can be exploited to access sensitive data from company systems.
A report published by UpGuard and shared with TechCrunch revealed that the exposed data contained information on the attack surfaces of APIsec’s customers, such as whether multi-factor authentication was enabled on user accounts. UpGuard suggested that this information could be valuable for malicious actors.
In response, APIsec founder Faizel Lakhani initially minimized the severity of the breach, describing the database as containing “test data” used for testing and debugging. He asserted that the database was not part of their production environment and contained no customer data, attributing the exposure to human error and clarifying it was not a result of malicious activity.
Lakhani stated, “We quickly closed public access. The data in the database is not usable.” However, UpGuard reported finding evidence that real corporate customer information, including security scans of customers’ API endpoints, was present in the database. It also contained personal details of customers’ employees, such as names and email addresses.
After being presented with evidence of leaked customer data by TechCrunch, Lakhani revised his stance and said the company completed an investigation on the day UpGuard’s report was received, and re-evaluated the situation later. Following the incident, APIsec notified affected customers whose data had been exposed. Lakhani declined to provide TechCrunch with a copy of the data breach notice allegedly sent to customers and did not comment on whether the company plans to notify state attorneys general, as required by data breach notification laws.
Additionally, UpGuard found a set of private keys for AWS and credentials for a Slack and a GitHub account within the dataset. The researchers were unable to verify if these credentials were active, as accessing them without permission would be illegal. APIsec disclosed that the keys belonged to a former employee who left the company two years prior and that they had been deactivated at the time of the employee’s departure. The reason for the AWS keys’ presence in the database remains unclear.
