Biggest Data Breaches Caused by API Mistakes

Given that over 80% of internet traffic runs through APIs, it's no surprise that cybercriminals often try to find ways to exploit API vulnerabilities.

Over the last decade, major data breach incidents have increased, affecting hundreds of millions as attackers exploit data dependencies in everyday life. The number of data breaches increased by 68% year-over-year in 2021, setting a new record.

Private information tends to be a profitable data mound, hence the increase in the number of data breaches. And although data breaches are becoming increasingly common, even the largest organizations are unprepared for these attacks.

How Does an API Attack Work?

An API is an intermediary software tool that facilitates the connection between applications. In most cases, APIs contain information about their implementation methods and structure.

When a cybercriminal gains access to this information, they can use it to launch cyberattacks. Typically, the attacker will try to find more API vulnerabilities ranging from a lack of encryption to a poor authentication process.

It is essential to note that API attacks can be launched in various innovative ways, and they tend to be very different, making them harder to detect, predict and protect against.

Top Breaches Caused by API Mistakes

We have compiled a list of the top data breaches caused by API vulnerability exploitation that will significantly help organizations better understand the importance of data security and why to invest more in security costs.

Yahoo

In December 2016, Yahoo revealed that over three billion user accounts were breached. The attack took place three years earlier, in August 2013. Yahoo revealed that sensitive personal information, including names, phone numbers, dates of birth, and encrypted passwords, was part of the breach.

The attack began with a spear-phishing email sent years ago to an employee. The cybercriminal targeted two main areas: Yahoo's user database and the Account Management Tool, which is used to edit the database. After gaining privileges, the cybercriminal escalated it by installing a backdoor on a server that would always allow them access. Soon, the attacker stole the backup copy of Yahoo's user database and transferred it to their own computer.

It is critical to note that at the time, Yahoo was in the process of being acquired by Verizon, and it was estimated that a group of criminals had accessed the account records of more than a billion of its customers. Yahoo said the revised estimate was not a new security issue and sent emails to all additional affected user accounts.

LinkedIn

LinkedIn, owned by Microsoft, has always been an invaluable target for cybercriminals. In June 2021, A hacker called "God User Tom Liner'' used data scraping techniques by exploiting the site's APIs to collect over 700 million users' information and posted them for sale on a dark web forum called RaidForums, impacting over 90% of its user base.

A sample of extracted data posted by God User contained information like usernames, email addresses, phone numbers, geo-location logs, gender, and other social network account information. LinkedIn claims that the attack could not be technically termed a breach because the information exposed was already public, and it seemed to be an “aggregation of data from several websites and companies” and “publicly viewable member profile data.”

However, the implication of this incident is that more cybercriminals will leverage this vulnerability to scrape more data on LinkedIn APIs. Also, they will have a large amount of data to create compelling social engineering attacks after the leak, as warned by the NCSC in the UK.

Facebook

It was revealed in April 2019 that two datasets from third-party Facebook applications had been exposed to the public internet. The information contained the details of more than 530 million Facebook users, which included their phone numbers, account names, and Facebook IDs - and in some cases, even passwords set by the 22,000 users for the third-party Facebook application had been exposed.

This attack was possible because of the third-party developer’s API vulnerability. The API allows Facebook users to view their account interface from the perspective of other users. However, its loophole allowed the attacker to get access tokens which he used to escalate the privileges that resulted in the attack.

This attack is seen as a huge breach of Facebook’s user privacy when the implications are considered. One of which was the free publication of the extracted data on the dark web Two years later (April 2021). This publication included information as sensitive as mobile phone numbers of users on the dark web and passwords they might have used for other online accounts (including their Facebook passwords).

USPS Customer Database

The USPS customer database was another target in 2018. Critical information belonging to over 60 million users was exposed to attackers because of the vulnerabilities found in their API service.

This attack was initiated on their API called “informed visibility”, which was designed to let businesses, advertisers, and other bulk mail senders “make better business decisions by providing them with access to near real-time tracking data” about mail campaigns and packages.

Reports state that the attacker was able to gain privileged access to the API because of poor access control. Moreover, API already has an unpatched vulnerability that exposes its users while performing its function. Hence, when the attacker gained access to the API, they encountered no anti-scraping mechanisms that would prevent him from querying the API and extracting users’ vital information.

It seemed the attacker, however, was not malicious in nature, as he contacted the media about the discovery of this API vulnerability and wished for USPS to fix it - this flawed API was then eventually removed by USPS.

How to Protect Your APIs from Attacks and Breaches

Because organizations and developers are eager to digitize their businesses and advance their transformation goals, they need to invest in implementing API security best practices such as API testing.

To mitigate an API data breach, an organization should follow these steps to secure its existing APIs:

• Identify APIs within your organization to avoid the risk of hidden or zombie APIs.
• Use detailed access controls for each API to authenticate users and avoid broken user authentication.
• Implement encryption methods to ensure secure data transfer.
• Implement API request rate limit to mitigate IP abuse.
• Ensure collaboration between developers, IT, and security teams.

Verdict

Proper cybersecurity practice advocates for mitigation before a response. Lately, threat actors think out of the box in order to perform many of the devastating attacks we see today. Hence, it is necessary that everything is built with a secure foundation.

This cannot be emphasized enough since the risk that is projected from API exploitations can cost billions of dollar loss for any affected enterprise. Enterprises can also patch up vulnerabilities discovered in their API services to meet up with the required protection standards to keep their business thriving.