{"id":659749,"date":"2025-03-31T20:20:46","date_gmt":"2025-03-31T17:20:46","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/api-testing-firm-apisec-exposed-customer-data-during-security-lapse\/"},"modified":"2025-03-31T20:20:46","modified_gmt":"2025-03-31T17:20:46","slug":"api-testing-firm-apisec-exposed-customer-data-during-security-lapse","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/api-testing-firm-apisec-exposed-customer-data-during-security-lapse\/","title":{"rendered":"API testing firm APIsec exposed customer data during security lapse"},"content":{"rendered":"<div>\n<p id=\"speakable-summary\" class=\"wp-block-paragraph\">API testing firm APIsec has confirmed it secured an exposed internal database containing customer data, which was connected to the internet for several days without a password.<\/p>\n<p class=\"wp-block-paragraph\">The exposed APIsec database stored records dating back to 2018, including names and email addresses of its customers\u2019 employees and users, as well as details about the security posture of APIsec\u2019s corporate customers.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">Much of the data was generated by APIsec as it monitors its customers\u2019 APIs for security weaknesses, according to UpGuard, the security research firm that found the database.<\/p>\n<p class=\"wp-block-paragraph\">UpGuard found the leaked data on March 5 and notified APIsec the same day. APIsec secured the database soon after.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">APIsec, which claims to have worked with Fortune 500 companies, bills itself as a company that tests APIs for its various customers. APIs allow two things or more on the internet to communicate with each other, such as a company\u2019s back-end systems with users accessing its <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a> and website. Insecure APIs can be exploited to siphon sensitive data from a company\u2019s systems.<\/p>\n<p class=\"wp-block-paragraph\">In <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.upguard.com\/breaches\/data-leak-apisec\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">a now-published report<\/a>, which was shared with TechCrunch prior to its release, UpGuard said the exposed data included information about attack surfaces of APIsec\u2019s customers, such as details about whether multi-factor authentication was enabled on a customer\u2019s account. UpGuard said this information could provide useful technical intelligence to a malicious adversary.<\/p>\n<p class=\"wp-block-paragraph\">When reached for comment by TechCrunch, APIsec founder Faizel Lakhani initially downplayed the security lapse, saying that the database contained \u201ctest data\u201d that APIsec uses to test and debug its product. Lakhani added that the database was \u201cnot our production database\u201d and \u201cno customer data was in the database.\u201d Lakhani confirmed that the exposure was due to \u201chuman mistake,\u201d and not a malicious incident.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">\u201cWe quickly closed public access. The data in the database is not usable,\u201d said Lakhani.<\/p>\n<p class=\"wp-block-paragraph\">But UpGuard said it found evidence of information in the database relating to real-world corporate customers of APIsec, including the results of scans from its customers\u2019 API endpoints for security issues.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">The data also included some personal information of its customers\u2019 employees and users, including names and email addresses, UpGuard said.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">Lakhani backtracked when TechCrunch provided the company with evidence of leaked customer data. In a later email, the founder said the company completed an investigation on the day of UpGuard\u2019s report and \u201cwent back and redid the investigation again this week.\u201d<\/p>\n<p class=\"wp-block-paragraph\">Lakhani said the company subsequently notified customers whose personal information was in the database that was publicly accessible. Lakhani would not provide TechCrunch, when asked, a copy of the data breach notice that the company allegedly sent to customers.<\/p>\n<p class=\"wp-block-paragraph\">Lakhani declined to comment further when asked if the company plans to notify state attorneys <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/general\/\" data-internallinksmanager029f6b8e52c=\"3\" title=\"General\" target=\"_blank\" rel=\"noopener\">general<\/a> as required by data breach notification laws.<\/p>\n<p class=\"wp-block-paragraph\">UpGuard also found a set of private keys for AWS and credentials for a Slack account and GitHub account in the dataset, but the researchers could not determine if the credentials were active, as using the credentials without permission would be unlawful. APIsec said the keys belonged to a former employee who left the company two years ago and were disabled upon their departure. It\u2019s not clear why the AWS keys were left in the database.<\/p>\n<\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMN63nwsw68G3Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/category\/technology\/\" target=\"_blank\" >Technology<\/a><\/span> category.<\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/techcrunch.com\/2025\/03\/31\/api-testing-firm-apisec-exposed-customer-data-during-security-lapse\/\" target=\"_blank\" >Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>API testing firm APIsec has confirmed it secured an exposed internal database containing customer data, which was connected to the internet for several days without a password. The exposed APIsec database stored records dating back to 2018, including names and email addresses of its customers\u2019 employees and users, as well as details about the security&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-659749","post","type-post","status-publish","format-standard","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/659749","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=659749"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/659749\/revisions"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=659749"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=659749"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=659749"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}