8 Significant API Breaches of Recent Years J Simpson May 4, 2023 API breaches are a major security problem. According to a recent survey, 41% of organizations have experienced an API security incident in the last year. A different survey reports that API security incidents increased by 681% in a single year. API breaches can have disastrous consequences. In some cases, they can expose millions of sensitive user records. An API hack can result in a fatal loss of trust between developers and users. They can also cause severe financial repercussions. With that in mind, we’ve assembled a list of eight of the most significant API breaches of the last two years to give you an idea of what API vulnerabilities are out there. 1. Optus With the Optus API beach, attackers discovered a publicly exposed endpoint that didn’t require authentication. This endpoint exposed highly sensitive customer data ranging from driver’s license numbers to phone numbers to date of birth and home addresses. The API developers used sequential identifiers, as well, which enabled easy enumeration for attackers. This API breach had a massive impact on the company, both reputationally and financially. It’s estimated the data breach exposed 11.2 million customer records. Estimates value the financial impact of the data breach as over $140 million. 2. 3Commas Some API breaches cause even more direct financial damages, and not just to the company. This was definitely the case in the final moments of 2022, when the cryptocurrency trading company got hacked to the tune of $22 million in crypto. After first blaming the API breach on a phishing scam, 3Commas’ owner finally revealed the hacker got access to a vast stockpile of API keys. To make matters even worse, the hacker dumped around 10,000 API keys anonymously on Twitter, causing even more damage and chaos. The FBI is now investigating the 3Commas API breach. The 3Commas API breach reveals some interesting challenges facing the API industry. The API keys were created for integrating with third-party applications, which means the API keys didn’t actually belong to 3Commas. This raises challenges about how to address the security issues caused by the API breach. One approach is to ask the customers who’ve been hacked to change their API key, but this adds insult to injury when they’re already upset and vulnerable. This strategy is also bound to be incomplete since some users will miss the memo. 3. Beetle Eye Towards the end of 2021, marketing platform Beetle Eye experienced an API breach exposing seven million customer records. An unsecured AWS S3 bucket let hackers access over one GB of data, with over 6,000 files from ten different clients. Some of these clients included Hilton Sandestin Beach, the Marigot Bay Resort, and Miles Partnership. The exposed data included a dataset of sales leads as well as more standard user data like first name, last name, and address. The AWS S3 bucket that exposed the data didn’t even have a password. Going forward, API developers should ensure that sensitive data is always protected by at least a password. 4. Dropbox Here’s an API breach that actually was caused by a phishing scam. On November 1, 2022, hackers were able to gain access to Dropbox’s GitHub internal code repositories. This allowed hackers to access 130 GibHub repositories, some containing API keys and user data. Hackers sent an email emulating CircleCI, a popular pipeline for CI/CD, for their phishing attack. Users were then taken to a counterfeit CirceCI page where they’d be prompted to input their GitHub credentials. They’d then be sent a One-Time Password which they’d also be asked to input. As you can see, this was no low-effort email scam. The hackers clearly knew what they were doing and possessed a high level of technical sophistication. It’s a sign that we all need to step up our vigilance in 2023, as cybercriminals are getting savvier each year. Luckily, it seems no user data was accessed in the DropBox API breach. The hackers were restricted to downloading GitHub’s code repositories which is bad news for them but better news for DropBox users. 5. Twitter Twitter experienced one of the biggest API breaches of the past two years. In December 2021,, hackers exploited a vulnerability in the Twitter API to access over 5.4 million Twitter users. The vulnerability allowed hackers to submit email addresses or phone numbers to the Twitter API to retrieve the associated Twitter account. The Twitter API breach could’ve been worse, as it only exposed users’ names, phone numbers, and email addresses. Hackers could use this user data for nefarious purposes if they get creative, though. It also greatly affected users’ trust and confidence in the social media network, which was already reeling. 6. FlexBooker Here’s another API breach caused by an AWS vulnerability. In December 2021, FlexBooker reported an API breach resulting in the exposure of 3.7 million user records. To make matters worse, part of their system’s data storage was also downloaded. Not only did this result in sensitive user data being compromised, but it also caused downtime. The social media scheduling platform was able to restore service in about 12 hours, but that meant a critical hit to their reputation on top of the loss of user trust. It’s just one more example of how much damage an API breach can cause an organization in various ways. 7. Texas Department of Insurance Even official institutions are vulnerable to API attacks. It turns out the Texas Department of Insurance had been publicly exposed for years when they were hacked in January 2022. The endpoint that exposed the vulnerable data, which included Social Security numbers, addresses, dates of birth, phone numbers and information about workers’ injuries, had been available to the public from March 2019 to January 2022 due to a software error. The January 2022 API breach exposed 1.8 million records of Texans who had filed insurance claims. Luckily, to date, TDI reports that none of the exposed data has been misused, but it’s still a major breach of trust and a blow to user confidence in government organizations. 8. Zendesk Zendesk, a popular help desk ticketing platform, had a GraphQL endpoint that was vulnerable to SQL injections. This vulnerability was exploited to reveal sensitive user data. The error was repaired relatively quickly, thanks to rapid patching, which helped to keep damage to a minimum. While it was active, the flaw allowed cybercriminals to access customer’s conversations, email addresses, ticket numbers, and comments. This vulnerability was related to a GraphQL API that could transmit email addresses, conversations, and ticket numbers. A second flaw allowed users to query the API without checking if they had the appropriate credentials. The main lesson from the Zendesk API breach is to protect your GraphQL APIs against SQL injections. This is relatively easy to do using firewalls or proper authorization. Final Thoughts On Major API Breaches As you can see, API breaches have impacted tens of millions of consumers in the past two years alone. And many of these incidents have been very preventable. Going forward, remember to safeguard your AWS buckets. Don’t leave sensitive user data behind unprotected endpoints. Make sure your GraphQL endpoints are protected somehow, even if it’s just a firewall. Be careful of phishing attacks. Follow these guidelines, learn from the mistakes of the past few years, and you’ll be well on your way toward being safer from API breaches.