- Researchers have found an unprotected database containing sensitive customer data
- It belongs to Apisec, a company specializing in API security tests
- Affected customers have been informed
Apisec, a company specializing in proactive, automated and continuous API security tests, may have inadvertently disclosed sensitive customer data online, experts said.
The discovery was made for the first time by cybersecurity researchers in Upguard, then confirmed by the company itself.
The data was stored in a database connected to the Internet which was not protected by password, and apparently remained like this for “several” days before being locked as soon as Upguard notified Apisec.
Notification of affected customers
Since the company follows its customers’ APIs for security weaknesses, most of the data has been generated by its own products.
Some of the data dating back to 2018 and included both customer names and user names, email addresses, as well as API security posture information. Since this data included things as if the 2FA has been activated or not, it is the type of information that can be very useful for a threat player.
The Apisec would have first tried to minimize the importance of the incident, saying that the database had “test data”, that it was not the company’s production database, and that it did not contain customer data, but changed its position when presented with information suggesting the opposite.
Apparently Upguard has found evidence that the database has also organized data from customers from real world companies, including names and emails, and scan the results.
When Techcrunch shared the information with Apisec, he later said that he informed customers whose personal information was found in the data. However, he did not mean how many people have been affected, nor wanted to share a copy of the reporting letter.
Unprotected databases remain one of the main causes of sensitive data leaks. Many organizations use the Cloud to host information on their employees, customers or customers, forgetting the fact that cloud accommodation works on a shared liability model.
