API testing company APISEC has confirmed that it has secured an exposed internal database containing customer data that has been connected to the internet for several days without a password.
The exposed APISEC database has kept records dating back to 2018, including customer employee and user names and email addresses, as well as details on APISEC's corporate customer security attitudes.
According to Upguard, the security research firm that found the database, much of the data was generated by APISEC to monitor the customer's API due to security weaknesses.
Upguard found leaked data on March 5th and notified Apisec on the same day. APISEC quickly secured the database.
APISEC, which claims to have worked with Fortune 500 companies, charges itself as a company that tests APIs for various customers. The API allows two or more things to communicate with each other on the Internet, such as the company's backend system where users access apps and websites. Unstable APIs can leverage siphon-sensitive data from corporate systems.
Upguard said the published data includes information about Apisec's customer attack surface, including details on whether multi-factor authentication has been enabled on customer accounts. Upguard said this information could provide useful technical information to malicious enemies.
When we reached a comment by TechCrunch, APISEC founder Faizel Lakhani initially downplayed the security process and stated that the database contains “test data” that APISEC uses to test and debug the product. Lakhani added that the database was “not our production database” and that “the database had no customer data.” Lakhani confirmed that the revelations were caused by “human errors” and not malicious cases.
“We immediately closed public access. No data in the database is available,” says Lakhani.
However, Upguard said it found evidence of information about APISEC's actual corporate customers.
The data also includes personal information about customers' employees and users, including names and email addresses, Upguard said.
Lakhani retreated when TechCrunch provided the company with evidence of customer data leaks. In a later email, the founder said the company completed the investigation on Upguard's report day and “played and replayed the investigation again this week.”
Lakhani said that the company has since notified customers in a database where personal information is publicly available. Lakhani does not provide TechCrunch when asked for a copy of a data breach notification that the company allegedly sent to its customers.
Lakhani declined to comment further when asked whether the company plans to notify the state attorney general in response to a request under the Data Breach Notification Act.
Upguard also found a set of AWS and credential private keys for Slack and Github accounts in the dataset, but the researchers were unable to determine whether the credentials were active, as it is illegal to use the credentials without permission. Apisec said the key belongs to a former employee who left the company two years ago and was invalidated when they left the company on departure. It is not clear why the AWS keys remained in the database.