API testing agency APIsec has confirmed it secured an uncovered inner database containing buyer knowledge, which was related to the web for a number of days with out a password.
The uncovered APIsec database saved information courting again to 2018, together with names and electronic mail addresses of its prospects’ staff and customers, in addition to particulars concerning the safety posture of APIsec’s company prospects.
A lot of the info was generated by APIsec because it displays its prospects’ APIs for safety weaknesses, in accordance with UpGuard, the safety analysis agency that discovered the database.
UpGuard discovered the leaked knowledge on March 5 and notified APIsec the identical day. APIsec secured the database quickly after.
APIsec, which claims to have labored with Fortune 500 corporations, payments itself as an organization that exams APIs for its numerous prospects. APIs permit two issues or extra on the web to speak with one another, akin to an organization’s back-end programs with customers accessing its app and web site. Insecure APIs could be exploited to siphon delicate knowledge from an organization’s programs.
In a now-published report, which was shared with TechCrunch previous to its launch, UpGuard stated the uncovered knowledge included details about assault surfaces of APIsec’s prospects, akin to particulars about whether or not multi-factor authentication was enabled on a buyer’s account. UpGuard stated this info may present helpful technical intelligence to a malicious adversary.
When reached for remark by TechCrunch, APIsec founder Faizel Lakhani initially downplayed the safety lapse, saying that the database contained “take a look at knowledge” that APIsec makes use of to check and debug its product. Lakhani added that the database was “not our manufacturing database” and “no buyer knowledge was within the database.” Lakhani confirmed that the publicity was as a consequence of “human mistake,” and never a malicious incident.
“We rapidly closed public entry. The info within the database shouldn’t be usable,” stated Lakhani.
However UpGuard stated it discovered proof of knowledge within the database regarding real-world company prospects of APIsec, together with the outcomes of scans from its prospects’ API endpoints for safety points.
The info additionally included some private info of its prospects’ staff and customers, together with names and electronic mail addresses, UpGuard stated.
Lakhani backtracked when TechCrunch supplied the corporate with proof of leaked buyer knowledge. In a later electronic mail, the founder stated the corporate accomplished an investigation on the day of UpGuard’s report and “went again and redid the investigation once more this week.”
Lakhani stated the corporate subsequently notified prospects whose private info was within the database that was publicly accessible. Lakhani wouldn’t present TechCrunch, when requested, a replica of the info breach discover that the corporate allegedly despatched to prospects.
Lakhani declined to remark additional when requested if the corporate plans to inform state attorneys common as required by knowledge breach notification legal guidelines.
UpGuard additionally discovered a set of personal keys for AWS and credentials for a Slack account and GitHub account within the dataset, however the researchers couldn’t decide if the credentials had been energetic, as utilizing the credentials with out permission could be illegal. APIsec stated the keys belonged to a former worker who left the corporate two years in the past and had been disabled upon their departure. It’s not clear why the AWS keys had been left within the database.
