APIISC test firm has confirmed that it provided an exposed internal database containing customer data, which was connected to the Internet for several days without a password.
The exposed database of APISEC retained the data dating back to 2018, including the names and addresses of the employees and users of its customers, as well as details about bringing the Customer Customer Security of APISC.
Most of the data was created by APISEC while monitors its customers’ APIs for security weaknesses, according to UPGUARD, the safety research firm that found the database.
UPGUARD found the data leaked on March 5 and announced APISEC on the same day. APISEC provided the database shortly thereafter.
Apisec, who claims to have worked with Fortune 500 company, bills it itself as a company that tests API for its different customers. APIs allow two things or more online to communicate with each other, such as the back systems of a company with users entering the application and its website. Uncertain APIs can be used in sensitive siphon data from a company’s systems.
In a report now published, which was shared with Techcrunch before its release, UPGUARD said the data exposed included information about APISEC client attack surfaces, such as details if the multi -factors were activated in a client’s account. Upeguard said this information can provide useful technical intelligence for a malicious opponent.
When it was reached by Techcrunch, the founder of Apisec Faizel Lakhani initially minimized the loss of security, saying the database contained “test data” that APISEC uses to prove and debug its product. Lakhan added that the database was “not our production database” and “no client data was in the database”. Lakhan confirmed that the exposure was due to “human error”, and not a malicious incident.
“We quickly close the public entry. Data on the database are not usable,” Lakhani said.
But Upeguard said he found evidence of information in the database regarding corporate clients in the real world of APISC, including scans from the last points of its clients on security issues.
The data also included some personal information of employees and users of its clients, including email names and addresses, UPGUARD said.
Lakhan withdrew when Techcrunch provided the company evidence of leaked customer data. In a later email, the founder said the company completed an investigation on the day of the Upgouard report and “returned again and redesigned the investigation again this week.”
Lakhani said the company then notified customers whose personal information was in the database that was accessible to the public. Lakhan will not provide Techcrunch, when asked, a copy of the data breach notice that the company allegedly sent to customers.
Lakhan refused to comment further when asked if the company plans to notify State Attorneys General as required by data violation laws.
UPGUARD also found a series of private keys to AWS and credentials for a Slack account and Github account in the data, but researchers could not determine whether the credentials were active, as the use of unlawful credentials would be illegal. Apisec said the keys belonged to a former employee who left the company two years ago and were incapable of leaving them. It is not clear why AWS keys were left in the database.