How Poor API Security Led to Major Breaches in 2024

Major API Breaches in H1 of 2024

Earlier this year, we provided an overview of the significant security breaches from 2023. It's now clear that for API related breaches, this year is on track to be even worse.

In just the first six months of 2024, there have been a series of alarming breaches, highlighting a critical need for improved API security measures. With insecure API secrets being identified as the top risk in the recently unveiled OWASP Mobile Top 10 for 2024, the urgency of this issue is clear.

In this article, we summarize the major API security incidents of the year so far and share key strategies to implement robust API security protocols.

January 

• Sensitive Messages Breach - A buggy API led to the unauthorized access of 650,000 sensitive messages. This vulnerability not only leaked Office 365 passwords but also allowed a pen-tester to infiltrate and retrieve a trove of confidential messages. This incident demonstrates how a single API flaw can expose highly sensitive information.

• Trello Breach - An exposed Trello API compromised the data of over 15 million users by linking private email addresses with Trello accounts. This breach potentially created millions of data profiles containing both public and private information, highlighting the risks associated with poor API security.

February

• Spoutible’s Data Leak - Troy Hunt's analysis revealed how Spoutible's leaky API exposed personal data, including bcrypt hashes of users' passwords. This breach allowed unauthorized access to critical user information.

March

• Public GitHub Repository Secrets Spill - GitGuardian reported nearly 13 million secrets leaked via public GitHub repositories. The failure to promptly revoke these leaks left companies vulnerable to malicious actors exploiting valid credentials, emphasizing the urgency of addressing these so-called "zombie leaks."

April

• PandaBuy Data Leak - Exploiting several critical vulnerabilities in PandaBuy's API, attackers stole data affecting 1.3 million users. This breach underscored the importance of securing APIs to prevent unauthorized access to internal services and sensitive user information.

May

• Dropbox API Keys Breach - Attackers breached the Dropbox Sign production environment, accessing customer data, MFA information, and API keys. Another reminder of the critical need for robust API security controls to protect sensitive authentication information.
• Microsoft Graph API Abuse - A report from Hacker News detailed how hackers increasingly exploit the Microsoft Graph API for stealthy malware communications. Insights from the Symantec Threat Hunter Team revealed that this strategy allows threat actors to create covert communication channels with command-and-control infrastructure hosted on Microsoft cloud services.
• Dell API Breach - Dell suffered a data breach affecting 49 million customer records due to an API vulnerability. Attackers exploited an API accessible through the partner portal to access fake accounts, revealing a lack of robust API security controls like proper throttling and anomaly detection mechanisms.

June

• RabbitR1 Vulnerability - A community dedicated to reverse engineering the Rabbit R1 AI assistant discovered hardcoded and exposed API keys in its code. This vulnerability potentially enabled access to all R1 responses ever given; again, demonstrating the dangers of inadequate API key protection.

Key Takeaways

As highlighted by these recent breaches, compromised APIs pose several risks, including:

• Data Breaches: Attackers can exploit vulnerabilities in APIs to gain unauthorized access to sensitive data, such as user credentials, personal information, or financial records.
• Unauthorized Access: Compromised APIs can allow attackers to perform actions or access resources that they shouldn't have permission to, potentially leading to further system compromise or data manipulation.
• API Abuse: Attackers might misuse compromised APIs to perform activities that exceed intended usage limits or to launch automated attacks, such as DDoS (Distributed Denial of Service) attacks.
• Reputation Damage: A compromised API can undermine trust in the organization, leading to reputational damage and loss of customer confidence, especially if customer data is affected.
• Financial Loss: Breaches through compromised APIs can result in financial losses due to regulatory fines, legal fees, remediation costs, and potential compensation to affected parties.
• Operational Disruption: Attacks against APIs can disrupt normal operations, causing downtime or affecting performance, which can impact business continuity and service availability.
• Compliance Issues: Breaches via compromised APIs can violate industry regulations and data protection laws (e.g., GDPR, HIPAA), leading to legal consequences and fines.
• Third-Party Risks: APIs often integrate with third-party services or platforms. Compromised APIs can extend risks to these external partners or dependencies, affecting their operations and security posture as well.

To mitigate these risks, we strongly recommend the following strategies:

• Use strong, unique keys for each API and ensure they are not hardcoded or exposed in the codebase.
• Lockdown endpoints so that they will only respond to your official app, running in trusted environments, and nothing else. This blocks a wide range of attacks which are otherwise possible by spoofing API requests in various ways.
• Secure your APIs at runtime to protect your backend APIs from API abuse, credential stuffing, fake botnet registrations, and DDoS attacks.
• Dynamically manage all certificates, pins, and API keys to ensure they can easily and immediately be updated across all deployed apps, in the event of a security issue.
• Conduct regular security audits and penetration testing to identify and mitigate vulnerabilities.

For further insights on protecting your APIs, speak to one of our experts: Approov API Security.