API testing firm APIsec exposed customer data during security lapse

Summary

API testing firm APIsec has confirmed it secured an exposed internal database containing customer data, which was connected to the internet for several days without a password. The exposed APIsec database stored records dating back to 2018, including names and email addresses of its customers’ employees and users, as well as details about the security posture of APIsec’s corporate customers. Much of the data was generated by APIsec as it monitors its customers’ APIs for security weaknesses, according to UpGuard, the security research firm that found the database. UpGuard found the leaked data on March 5 and notified APIsec the same day. APIsec secured the database soon after. APIsec, which claims to have worked with Fortune 500 companies, bills itself as a company that tests APIs for its various customers. APIs allow two things or more on the internet to communicate with each other, such as a company’s back-end systems with users accessing its app and website. Insecure APIs can be exploited to siphon sensitive data from a company’s systems. In a now-published report, which was shared with TechCrunch prior to its release, UpGuard said the exposed data included information about attack surfaces of APIsec’s customers, such as details about whether multi-factor authentication was enabled on a customer’s account. UpGuard said this information could provide useful technical intelligence to a malicious adversary. When reached for comment by TechCrunch, APIsec founder Faizel Lakhani initially downplayed the security lapse, saying that the database contained “test data” that APIsec uses to test and debug its product. Lakhani added that the database was “not our production database” and “no customer data was in the database.” Lakhani confirmed that the exposure was due to “human mistake,” and not a malicious incident. “We quickly closed public access. The data in the database is not usable,” said Lakhani. But UpGuard said it found evidence of information in the database relat...