Real-World Cybersecurity Breaches Caused by Vulnerable APIs
Real-World Cybersecurity Breaches Caused by Vulnerable APIs
APIs are more than just pieces of code—they provide rules and protocols that allow different apps to communicate. This role for APIs, sort of like bridges that connect otherwise isolated systems, powers much of the innovation and integration you see in modern digital ecosystems. However, because of their growing importance, APIs are now prime targets for threat actors, who target weaknesses in their design, configuration, or code. Here are several examples of real and recent cybersecurity incidents caused by vulnerable APIs.
API Usage and Security
A 2024 report estimated that a staggering 71% of today’s web traffic comes from API calls. When you order some convenient food from an app like Uber Eats, for example, and track the driver, the Google Maps API powers this tracking. Or, in a work context, when you see documents from Google Drive or get updates from GitHub repositories directly in Slack—again, APIs are behind this.
Such widespread use of APIs expands cybersecurity attack surfaces in various ways, such as:
Opening up more entry points into IT environments – both from API endpoints and from integrating third-party APIs that introduce external code into your environment.
Exposing sensitive data like user credentials, personal information, and financial details that APIs often handle. If an API is not properly secured (e.g., lacking encryption or strong authentication), a hacker might intercept or access it.
Being susceptible to various classic types of code vulnerabilities, such as injection attacks, where attackers manipulate API inputs to execute malicious code.
The problem of monitoring that comes with scale. Sometimes APIs are forgotten about when companies don’t catalog them in a detailed inventory.
The non-profit entity OWASP has a Top 10 list of specific API security risks that’s worth checking out.
Latest API Security Breaches
So how exactly do these security threats play out in the real world? As the following recent examples show, API security risks are far from hypothetical.
Trello
Trello is a visual project management tool that allows individuals and teams to organize tasks and collaborate through customizable boards, lists, and cards. Its handy drag-and-drop interface makes it popular among marketing, product development, and sales teams.
In a huge data leak incident from 2024, 15 million Trello users’ email addresses and other account info were posted on the dark web. The culprit? An API endpoint that lacked proper authentication. Anyone could access this endpoint, and a threat actor named emo creatively manipulated calls to this API to scrape data from the 15 million accounts.
Honda
The Japanese technology giant’s e-commerce platform had some rather basic API flaws that exposed customer data and internal docs. While it’s best known for cars and motorbikes, Honda’s e-commerce platform is for the company’s other line of business in power equipment (like lawnmowers).
The API vulnerability in question here, unearthed in June 2024, was a password reset API, which, somewhat ironically, allowed password resets for any account without proper checks. A security researcher exploited this issue of broken/missing access controls to access 21,393 customer orders, internal financial reports, and other details. It remains unclear whether any threat actors managed to exploit this vulnerability, but it seems likely.
PandaBuy
PandaBuy, an online shopping platform, suffered a serious breach in April 2024 when hackers managed to access the data of over 1.3 million customers. The Chinese site operates as an intermediary by shipping goods internationally from Chinese e-commerce sites that don’t ship products abroad.
Two threat actors worked in cahoots to exploit a slew of critical vulnerabilities in PandaBuy’s API. Exposed customer info included customer names, phone numbers, email addresses, and even home addresses. Interestingly, the company paid a ransom to avoid having the stolen data published, but it appears this payment didn’t stop the threat actors from continuing their extortion.
Optus
Australian telecom company Optus got breached in a case that exemplifies the risk from not cataloging and monitoring APIs. In this incident, the company left an API with broken access controls online for at least 4 years. A hacker eventually found the flawed API, easily bypassed the broken access controls, and accessed info on over 9 million Optus customers.
A court filing summed up the breach as “not highly sophisticated or one that required advanced skills or proprietary or internal knowledge.” Keeping the broken API online and internet-facing is what caught Optus out, and it appears the company simply forgot about it among all the other moving parts of its IT ecosystem.
Train specifically for API attacks
API security breaches aren’t inevitable. There’s a lot of value in emphasizing secure coding practices (like input validation and proper versioning), testing your APIs, and having some way to discover and monitor APIs. But beyond a mere preventative approach, there’s also value in actively running attack simulations that target API flaws and preparing your teams to respond to these attacks.
API-specific attack training equips your cybersecurity teams to identify and defend against vulnerabilities unique to APIs, such as broken object level authorization (BOLA), injection attacks, and improper authentication mechanisms. This training helps your IR and SOC teams understand the nuances of API-based attack vectors and better detect and respond to these threats.
Live-fire training in Cloud Range’s cyber range gives your team hands-on experience in a controlled, simulated environment that can replicate your network setup. Personnel can better understand the dynamics of API attacks, hone their incident response skills, and stress-test their defenses in a safe setting with lots of pre-configured and custom simulations to select from or build.
Learn more about our attack simulations.