The world now relies on APIs to function. However, these interfaces that power our daily lives are often left insecure, routinely suffering from a lack of proper authorization controls, misconfigurations, or leaky secrets. This condition has led to severe, high-profile breaches in recent years, exposing millions of user records and resulting in costly penalties.
Below, we'll highlight some of the top API-related breaches that have occurred recently. For each, we'll summarize what went wrong and what actions the attackers were able to perform. We'll also review the consequences of these breaches and suggest some helpful takeaways for API providers to consider going forward.
1. Trello API Overshared Data
In early 2024, 15 million pieces of user information were scraped from public boards on Trello, the cloud-based project management application. A hacker was able to perform this by leveraging a feature of the Trello REST API that, when queried, returned profiles related to all public boards associated with a user’s email address. As Dark Reading covers, a data breach of this size could lead to further account takeovers and spear-phishing attacks.
Trello Allegedly Breached: Database of 15,115,516 User Records Up for Sale
The cybercriminal, who goes by the name 'emo,' claims that the database includes data such as emails, usernames, full names, and other account information.#databreach #CTI #DarkWeb pic.twitter.com/Fim9jOwUzn
— HackManac (@H4ckManac) January 17, 2024
Takeaway : Tightly configure your APIs to limit data overexposure and rate-limit queries to avoid business logic abuse.
2. Hugging Face Token Breach
In December 2023, Lasso Security discovered that over 1,500 tokens associated with Hugging Face, the popular machine-learning model platform, were left exposed in the GitHub and HuggingFace repositories. Using these tokens, researchers gained access to hundreds of organization's accounts. A risk of this nature can leave millions of AI models and datasets vulnerable.
It should be added that exposed API secrets are by no means unique to the AI programming world. In a separate study, Escape researchers found 18,000 API secrets, such as keys and tokens, exposed on the public web, pertaining to all sorts of APIs.
#AI needs secure #APIs, else we are in for some scary times. Thanks to @RetroReversing@jpmello for including my thoughts on this. @SaltSecurity
The Hugging Face API token breach: 5 lessons learned https://t.co/3bVhseQxMe
— 𝙲𝚢𝙱𝚛𝚛𝙽𝚒𝚌𝚔 (@cybrrnick) December 14, 2023
Takeaway : Seriously protect your API keys—don't store them in public locations and rotate them when possible.
3. Unauthorized T-Mobile Data Exfiltration
In early 2023, it was reported that 37 million user accounts had been compromised in a large-scale attack on a T-Mobile API. Although T-Mobile did not disclose the exact details of how the API was compromised, the company did say the access was unauthorized and revealed the nature of the stolen information. The breach was severe enough to prompt an investigation by the SEC. Leakages of this size harm users since the data can be sold on the dark web and leveraged by bad actors for nefarious purposes.
Takeaway : Audit your APIs to ensure proper authorization checks are in place for all internal and external stakeholders.
4. Millions Stolen In Kronos API Hack
Some API breaches are more directly correlated with financial losses. This was certainly the case for cryptocurrency trading firm Kronos, which, in late 2023, suffered an API security breach that resulted in an estimated $25 million in losses. The hack used unauthorized API keys to steal nearly 13 thousand ETH from the platform. In addition to losses, there were also operational consequences since the trading firm had to shut down trading for an entire day, causing partners to go offline. The incident led to a significant loss in user faith at a time when the cryptocurrency market was already feeling a bit murky.
1/ Since 1:20 am (GMT+8), our team has been working round the clock to minimize the impact and resume trading operations, following a hacking incident that involved unauthorized access to our API Keys. https://t.co/t2cP9s69sZ
— Kronos Research 🟠 (@ResearchKronos) November 19, 2023
Takeaway : To avoid vulnerabilities, the API providers themselves must be careful with how they manage their API keys.
5. Optus Breach
In mid-2022, Australian telecommunications company Optus suffered what it called a "sophisticated attack" upon its API, which led to the disclosure of over 11 million customer records. As The Guardian reports, it's unclear as to the exact mechanics of the attack. However, to others, calling it an "attack" in the first place is a joke.
The situation around Optus’ data breach (don’t call it a “hack”, the API was open to the internet) just goes to show why #privacy is a #natsec issue. The solution isn’t more data sharing. We need stronger privacy protections, with real teeth for gross failures like this. #auspol
— @liampomfret@mastodon.social (@LiamPomfret) September 28, 2022
Takeaway : Don't assume anything left open on the web is "private." Take a zero-trust approach with the proper authentication and authorization in place to protect personally identifiable information.
Conducting API Attack Postmortems
Unfortunately, API breaches aren't uncommon. The hacks above follow a string of significant API-related vulnerabilities discovered within popular web applications in recent years, including Venmo, Dropbox, X/Twitter, Zendesk, and plenty of others.
And although most of the breaches covered in this article have to do with leaky data, hackers are not just exploiting holes in APIs for data exfiltration — they're also using them to abuse business logic, conduct denial-of-service attacks, and escalate privileges to perform account takeovers. Knowing this reality, it's good to review the OWASP Top Ten for APIs and follow established API security best practices.
But beyond these practices, a strong software engineering culture learns from breaches when they occur. As Colin Domoney covers in his book 'Defending APIs', it is a good policy to follow the Google SRE doctrine of blameless postmortems.
"The key to conducting these postmortems is that they are blameless – they focus on the causes or issues rather than on the team or individual," says Domoney. So, be sure to conduct _ blameless _ postmortems if and when breaches occur.
Adopt API Governance to Reduce Vulnerabilities
As we've seen, API breaches are becoming more and more common. To decrease these types of risks, it's good to follow API security best practices, and implementing this will hinge on API governance. The right API governance model can help set guidelines for API development, ensuring API designs and coding practices are consistent throughout an organization. A governance framework that requires documentation and cataloging for these services will bring guardrails for API development — helping to avoid these terrible breaches and other potential API risks that keep you awake at night.
Top comments (0)