API Testing Company Every day He has confirmed that he has secured an exposed internal database containing customer data, which was connected to the internet for several days without password.
The exposed APISEC database stores files dating back to 2018, including names and email addresses of employees and users of its customers, as well as details of the security attitude of Apisec’s corporate customers.
Much of the data was created by Apisec as it monitors its customers’ APIs for security weaknesses, according to UPGUARD, the security company that found the database.
UPGUARD found the data leaking on March 5 and shared Apisec on the same day. Apisec secured the database soon after.
Apisec, which claims to have worked with Fortune 500 companies, the accounts themselves as a company that tests APIS for its various customers. API allows two or more things on the internet to communicate with each other, such as the back-end systems of a company with users accessing the application and their website. Insecure API can take advantage of chiffon -sensitive data from a company’s systems.
In A report nowwhich was shared with TechCrunch before its release, UPGUard stated that exposed data included information on Apisec’s customer attack surfaces, such as details of whether multi -factor authentication was activated on a customer’s account. UPGUARD said that this information could provide useful technical intelligence to a malicious opponent.
When it was achieved for comments by TechCrunch, Apisec Faizel Lakhani founder initially downgraded the delay of delay, saying the database contained Apisec “test data” to test and identify its product. Lakhani added that the database was not “not our production database” and “there were no customer data in the database”. Lakhani confirmed that the exhibition was due to the “human error” and not to a malicious incident.
“We quickly closed the public access. The data in the database is not usable,” Lakhani said.
However, UPGUARD said it found information in the database of Apisec’s real corporate clients, including the results of scanning from its customers’ final API points on security issues.
The data also included certain personal information of employees and users of its customers, including names and email addresses, UPGUARD said.
Lakhani Backtracted when TechCrunch provided the company evidence of leakage data. In a later email, the founder said the company completed an investigation on the day of the UPGUARD report and “returned and repeated the survey again this week”.
Lakhani said the company subsequently informed customers whose personal information was in the public that were accessible to the public. Lakhani will not provide TechCrunch when asked, a copy of the data breach that the company allegedly sent to customers.
Lakhani refused to comment further when asked if the company plans to alert the general lawyers, as required by the data notice laws.
UPGUARD also found a set of private keys for AWS and credentials on behalf of Slack and Github in the data set, but the researchers could not determine if the credentials were active, as the use of unlawful credentials would be illegal. Apisec said the keys belonged to a former employee who left the company two years ago and was disabled on their departure. It is not clear why the AWS keys stayed in the database.
