API testing firm APIsec has confirmed it secured an exposed internal database containing customer data, which was connected to the internet for several days without a password.
The exposed APIsec database stored records dating back to 2018, including names and email addresses of its customers’ employees and users, as well as details about the security posture of APIsec’s corporate customers.
Much of the data was generated by APIsec as it monitors its customers’ APIs for security weaknesses, according to UpGuard, the security research firm that found the database.
UpGuard found the leaked data on March 5 and notified APIsec the same day. APIsec secured the database soon after.
APIsec, which claims to have worked with Fortune 500 companies, bills itself as a company that tests APIs for its various customers. APIs allow two things or more on the internet to communicate with each other, such as a company’s back-end systems with users accessing its app and website. Insecure APIs can be exploited to siphon sensitive data from a company’s systems.
In a now-published report, which was shared with TechCrunch prior to its release, UpGuard said the exposed data included information about attack surfaces of APIsec’s customers, such as details about whether multi-factor authentication was enabled on a customer’s account. UpGuard said this information could provide useful technical intelligence to a malicious adversary.
When reached for comment by TechCrunch, APIsec founder Faizel Lakhani initially downplayed the security lapse, saying that the database contained “test data” that APIsec uses to test and debug its product. Lakhani added that the database was “not our production database” and “no customer data was in the database.” Lakhani confirmed that the exposure was due to “human mistake,” and not a malicious incident.
“We quickly closed public access. The data in the database is not usable,” said Lakhani.
But UpGuard said it found evidence of information in the database relating to real-world corporate customers of APIsec, including the results of scans from its customers’ API endpoints for security issues.
The data also included some personal information of its customers’ employees and users, including names and email addresses, UpGuard said.
Lakhani backtracked when TechCrunch provided the company with evidence of leaked customer data. In a later email, the founder said the company completed an investigation on the day of UpGuard’s report and “went back and redid the investigation again this week.”
Lakhani said the company subsequently notified customers whose personal information was in the database that was publicly accessible. Lakhani would not provide TechCrunch, when asked, a copy of the data breach notice that the company allegedly sent to customers.
Lakhani declined to comment further when asked if the company plans to notify state attorneys general as required by data breach notification laws.
UpGuard also found a set of private keys for AWS and credentials for a Slack account and GitHub account in the dataset, but the researchers could not determine if the credentials were active, as using the credentials without permission would be unlawful. APIsec said the keys belonged to a former employee who left the company two years ago and were disabled upon their departure. It’s not clear why the AWS keys were left in the database.
