Topics
Latest
AI
Amazon
Image Credits:Olena Ruban(opens in a new window)/ Getty Images
Apps
Biotech & Health
mood
Image Credits:Olena Ruban(opens in a new window)/ Getty Images
Cloud Computing
Commerce
Crypto
Enterprise
EVs
Fintech
Fundraising
Gadgets
game
Government & Policy
Hardware
layoff
Media & Entertainment
Meta
Microsoft
Privacy
Robotics
security system
Social
Space
Startups
TikTok
transferral
speculation
More from TechCrunch
Events
Startup Battlefield
StrictlyVC
Podcasts
TV
Partner Content
TechCrunch Brand Studio
Crunchboard
Contact Us
API testing firmAPIsechas substantiate it secured an display internal database containing customer data point , which was connected to the internet for several days without a password .
The exposed APIsec database salt away records dating back to 2018 , include epithet and email addresses of its customers ’ employees and users , as well as detail about the security posture of APIsec ’s corporate customers .
Much of the data was generate by APIsec as it monitors its customers ’ genus Apis for security helplessness , according to UpGuard , the security research firm that found the database .
UpGuard found the leaked information on March 5 and apprize APIsec the same twenty-four hour period . APIsec secured the database before long after .
APIsec , which claims to have worked with Fortune 500 companies , bills itself as a company that tests genus Apis for its various customers . genus Apis allow two things or more on the internet to put across with each other , such as a troupe ’s back - conclusion systems with users access its app and website . Insecure APIs can be exploited to siphon sore data from a company ’s organization .
Ina now - published reputation , which was shared with TechCrunch prior to its release , UpGuard said the expose data include selective information about onslaught surfaces of APIsec ’s client , such as inside information about whether multi - factor assay-mark was enabled on a customer ’s accounting . UpGuard said this information could cater useful technical intelligence information to a malicious resister .
When touch for comment by TechCrunch , APIsec founder Faizel Lakhani initially downplayed the security lapse , saying that the database contained “ trial data ” that APIsec uses to test and debug its mathematical product . Lakhani tot that the database was “ not our yield database ” and “ no customer data was in the database . ” Lakhani confirm that the photo was due to “ human mistake , ” and not a malicious incident .
“ We quick closed public accession . The information in the database is not functional , ” order Lakhani .
But UpGuard say it recover evidence of information in the database relating to real - world corporate customers of APIsec , include the results of scans from its client ’ API endpoints for security consequence .
The data also include some personal information of its customer ’ employees and users , including name calling and electronic mail savoir-faire , UpGuard said .
Lakhani turn back when TechCrunch provided the company with grounds of leaked client data point . In a later email , the father aver the company completed an investigation on the day of UpGuard ’s theme and “ go back and redid the investigating again this week . ”
Lakhani aver the ship’s company after send word customers whose personal information was in the database that was publicly accessible . Lakhani would not provide TechCrunch , when asked , a copy of the data severance point out that the company allegedly post to customer .
Lakhani declined to comment further when asked if the company plans to send word country attorney general as required by data breach notification laws .
UpGuard also find a solidifying of individual key for AWS and credential for a Slack account and GitHub account in the dataset , but the researchers could not determine if the credentials were dynamic , as using the credentials without permission would be illegitimate . APIsec said the keys belonged to a former employee who left the company two yr ago and were disabled upon their departure . It ’s not clear-cut why the AWS keys were left in the database .
