Into the Breach: Breaking Down 3 Top API Security Breaches

APIs are rapidly growing and are a great tool for businesses, but API security is equally crucial because companies use APIs to acquire data and transfer it between services.

While you are building innovative new systems using APIs, it's important to keep them safe. Otherwise, your business could become a part of 41% of apps witnessing API security incidents.

And when 1 in every 13 cybersecurity incidents involves API incidents, it goes without saying that when an API has a security breach, it can lead to a data breach.

Attackers want to exploit them, and organisations should consider securing them more comprehensively. The article throws light on three modern API security breaches.

Why is securing APIs important?

More than 40% of businesses had an API security incident last year.

API applications are made differently from enterprise web applications, which can lead to certain issues. API security differs from a typical web application; it doesn't have multiple layers of authentication mechanisms, which might lead hackers to access restricted resources like user accounts and data.

API Protection is critical to businesses because it exposes many aspects of the internal infrastructure, and web application security solutions are no longer enough to combat it.  

Here are the top 4 reasons that might want us to be serious about API endpoint security.

1. Man-in-the-Middle Attack (MITM) - An API is only as powerful as its security. Some people might not know this, but APIs can face some unique vulnerabilities. For example, applications programming interfaces (APIs) are particularly prone to online security vulnerabilities, especially when they employ a less-than-secure approach to message transmission. Moreover, those that fail to implement highly robust procedures at the level of secure session setup are susceptible to Man in the middle (MiTM) attacks.
2. SQL Injection - Security managers juggling SQL injection and API cyber-attacks would do well to remember that these kinds of vulnerabilities mostly surface from data that is not filtered into appropriate types. During a SQL injection attack on API, the hacker sends code to the software via an API request to get into the application server and infiltrate.
3. Stolen Authentication Attack - A system administrator configuring an API with a weak authentication scheme leaves this application vulnerable to hacks that exploit APIs. Imagine an API-only authentication token reaching a person without 'trust.' It can be used to access resources with malicious purposes while appearing legitimate.
4. DDoS (Distributed Denial of Service) Attack - Cybercriminals might launch a vast number of requests at an API on purpose to overwhelm its servers or network so that it won't be able to process them or respond as quickly or effectively as it normally would be able to handle such requests.

Breaking Down 3 Top API Security Breaches

1. Venmo - Venmo, the popular mobile payment service owned by Paypal, exposed over 200 million transactions via its API. Venmo payment app made their data accessible by having no restrictions and offering a public API (set as "default"), which allowed people to easily download the data comprising names of senders, transaction memo descriptions, the value of transactions, etc. The available data leak includes names and transaction descriptions, including details about illegal drug activity too. In the final analysis, poor API security is still bad code, regardless of its intentions.
2. Linkedin Leak - Last year, a data breach occurred on LinkedIn, exposing users' publicly available data. This included first names, last names, email addresses, and plain-text passwords of over 92% of their user profiles. Users' account views, shared connections and employment histories were also visible to the public. This data breach raises serious concerns about issues around privacy, not just with LinkedIn but with other social networks that rely too heavily on sharing of personal information as well as failing to check the security of their third-party vendors. A malicious cyber attacker scraped LinkedIn's data to offer for sale on the dark web. To get the data, he used their open authentication-free developer API.
3. Hubspot Data breach - HubSpot, the leading CRM (Customer Relationship Management) tool used across 143,000+ users in over 100 countries around the globe, has been exposed for its recent data breach. The breach may have affected more than 1.6 million names, emails, and associated contact numbers belonging to current and former HubSpot clients whose accounts were associated with the company's internal customer support portal. The application with hardcoded API keys exposes sensitive details. A bad actor accessed a portion of HubSpot's internal systems and performed actions on a few customer accounts in the cryptocurrency industry, including NYDIG, Swan, and BlockFi, by an insider.

API Security: The Solution

An ideal solution is WAAP (Web Application and API Protection), a set of security protection services for web-based applications and APIs. With a cloud-based Web Application Firewall, API Protection, Bot mitigation, and anti-DDoS solution, the Indusface WAAP platform can serve as the first line of defense for defending web applications and APIs.