API testing company APISEC has confirmed that it ensures an internal database containing customer data that has been connected to the Internet for several days without a password.
The records stored in the naked APISEC database date back to 2018 and include the names and email addresses of its customer employees and users, as well as detailed information about the security posture of APISEC companies’ customers.
Upguard, a security research firm that discovered the database, said that most of the data from APISEC is generated by APISEC.
Upguard discovered the leaked data on March 5 and notified Apisec on the same day. APISEC secured the database soon after.
Apisec, which claims to work with Fortune 500 companies, is a company that tests APIs for its various clients. APIs allow two things or more on the Internet, such as backend systems of companies that users access their applications and websites. Unsafe APIs can be leveraged from corporate systems to siphon-sensitive data.
exist Reports released nowThe data that Upguard shared with TechCrunch before its release includes information about the surface of APISEC customer attacks, such as details about whether multifactor authentication is enabled on the customer’s account. Upguard said this information could provide useful technical intelligence to malicious opponents.
When TechCrunch solicited comments, Apisec founder Faizel Lakhani initially underscores security lapses, saying the database contains “test data” that APISEC uses to test and debug its products. Lakhani added that the database is not “our production database” and “there is no customer data in the database”. Lakhani confirmed that exposure was due to “human error” and not a malicious incident.
“We quickly shut down public access. The data in the database is not available,” Lakhani said.
But Upguard said it found evidence in the database about information related to ApiSec’s real-life enterprise customers, including the results of scanning results from the client’s API endpoint.
Upguard said the data also includes some personal information about its customers and users, including names and email addresses.
Lakhani backtracked when TechCrunch provided evidence of leaking customer data to the company. The company said in a later email that it completed an investigation into the Upguard report that day and “re-investigation again this week.”
Lakhani said the company then notified customers whose personal information was publicly accessed in the database. When asked, Lakhani would not provide TechCrunch, a copy of the data breach notification the company allegedly sent to customers.
When asked whether the company plans to notify the state attorney general under the Data Breach Notification Act, Lakhani declined to comment further.
Upguard also found a set of credentials for AWS’s private keys and Slack accounts and GitHub accounts in the dataset, but researchers were unable to determine whether the credentials were active because it was illegal to use them without permission. The keys belong to a former employee who left the company two years ago and was disabled after leaving, Apisek said. It is not clear why the AWS keys in the database remain in the database.
