Takeaways From 5 Terrible API Breaches

The world now relies on APIs to function. However, these interfaces that power our daily lives are often left insecure, routinely suffering from a lack of proper authorization controls, misconfigurations, or leaky secrets. This condition has led to severe, high-profile breaches in recent years, exposing millions of user records and resulting in costly penalties.

Below, we'll highlight some of the top API-related breaches that have occurred recently. For each, we'll summarize what went wrong and what actions the attackers were able to perform. We'll also review the consequences of these breaches and suggest some helpful takeaways for API providers to consider going forward.

1. Trello API Overshared Data

In early 2024, 15 million pieces of user information were scraped from public boards on Trello, the cloud-based project management application. A hacker was able to perform this by leveraging a feature of the Trello REST API that, when queried, returned profiles related to all public boards associated with a user’s email address. As Dark Reading covers, a data breach of this size could lead to further account takeovers and spear-phishing attacks.

Takeaway: Tightly configure your APIs to limit data overexposure and rate-limit queries to avoid business logic abuse.

2. Hugging Face Token Breach

In December 2023, Lasso Security discovered that over 1,500 tokens associated with Hugging Face, the popular machine-learning model platform, were left exposed in the GitHub and HuggingFace repositories. Using these tokens, researchers gained access to hundreds of organization's accounts. A risk of this nature can leave millions of AI models and datasets vulnerable.

It should be added that exposed API secrets are by no means unique to the AI programming world. In a separate study, Escape researchers found 18,000 API secrets, such as keys and tokens, exposed on the public web, pertaining to all sorts of APIs.

Takeaway: Seriously protect your API keys—don't store them in public locations and rotate them when possible. 

3. Unauthorized T-Mobile Data Exfiltration

In early 2023, it was reported that 37 million user accounts had been compromised in a large-scale attack on a T-Mobile API. Although T-Mobile did not disclose the exact details of how the API was compromised, the company did say the access was unauthorized and revealed the nature of the stolen information. The breach was severe enough to prompt an investigation by the SEC. Leakages of this size harm users since the data can be sold on the dark web and leveraged by bad actors for nefarious purposes.

Takeaway: Audit your APIs to ensure proper authorization checks are in place for all internal and external stakeholders.

4. Millions Stolen In Kronos API Hack

Some API breaches are more directly correlated with financial losses. This was certainly the case for cryptocurrency trading firm Kronos, which, in late 2023, suffered an API security breach that resulted in an estimated $25 million in losses. The hack used unauthorized API keys to steal nearly 13 thousand ETH from the platform. In addition to losses, there were also operational consequences since the trading firm had to shut down trading for an entire day, causing partners to go offline. The incident led to a significant loss in user faith at a time when the cryptocurrency market was already feeling a bit murky.

Takeaway: To avoid vulnerabilities, the API providers themselves must be careful with how they manage their API keys.

5. Optus Breach 

In mid-2022, Australian telecommunications company Optus suffered what it called a "sophisticated attack" upon its API, which led to the disclosure of over 11 million customer records. As The Guardian reports, it's unclear as to the exact mechanics of the attack. However, to others, calling it an "attack" in the first place is a joke. 

Takeaway: Don't assume anything left open on the web is "private." Take a zero-trust approach with the proper authentication and authorization in place to protect personally identifiable information.

Conducting API Attack Postmortems

Unfortunately, API breaches aren't uncommon. The hacks above follow a string of significant API-related vulnerabilities discovered within popular web applications in recent years, including Venmo, Dropbox, X/Twitter, Zendesk, and plenty of others. 

And although most of the breaches covered in this article have to do with leaky data, hackers are not just exploiting holes in APIs for data exfiltration — they're also using them to abuse business logic, conduct denial-of-service attacks, and escalate privileges to perform account takeovers. Knowing this reality, it's good to review the OWASP Top Ten for APIs and follow established API security best practices.

But beyond these practices, a strong software engineering culture learns from breaches when they occur. As Colin Domoney covers in his book 'Defending APIs', it is a good policy to follow the Google SRE doctrine of blameless postmortems.

"The key to conducting these postmortems is that they are blameless – they focus on the causes or issues rather than on the team or individual," says Domoney. So, be sure to conduct blameless postmortems if and when breaches occur.

Adopt API Governance to Reduce Vulnerabilities

As we've seen, API breaches are becoming more and more common. To decrease these types of risks, it's good to follow API security best practices, and implementing this will hinge on API governance. The right API governance model can help set guidelines for API development, ensuring API designs and coding practices are consistent throughout an organization. A governance framework that requires documentation and cataloging for these services will bring guardrails for API development — helping to avoid these terrible breaches and other potential API risks that keep you awake at night.