Cybersecurity In-Depth: Getting answers to questions about IT security threats and best practices from trusted cybersecurity professionals and industry experts.

What Happens to My Organization If APIs Are Compromised?

Once attackers have obtained access, they can compromise other systems or pivot within your networks.

Michael Isbitski, Technical Evangelist at Salt Security

January 19, 2022

2 Min Read
Illustration of a white man in a suit tracing API tools with his finger on a simulated lit-up screen
Source: SWKStock via Shutterstock

Question: What happens to my organization if APIs are compromised or abused?

Michael Isbitski, technical evangelist, Salt Security: Impacts from API abuse include the obvious answers of data breach and brand damage, but security practitioners are wrestling with many more concerns. The $700 million Equifax settlement that was the result of API abuse has become a measurement for potential business impact. Observing recent API security incidents, some of the biggest impacts included data loss, privacy erosion, account takeover, fraud, and supply chain compromise.

Data loss is rampant in cases where APIs do not enforce sufficient authentication and authorization, a common mistake that organizations make when relaxing access controls to promote API adoption. We've also seen numerous scraping incidents where malicious actors harvest data en masse via APIs, even for APIs that require authentication. Recent scraping examples include the API incidents at Facebook and LinkedIn, as well as the incidents with Experian and Peloton, where the potential for mass scraping was disclosed early by security researchers. While the company line for victim organizations is often that these incidents do not fit the definition of a data breach, regulatory language can differ, and privacy impacts to customers are clear.

Attackers also abuse APIs with brute-forcing and credential-stuffing techniques with the goal of compromising user credentials or account takeover (ATO). The concern over ATO is common in all industries, but it hits financial services and financial technology particularly hard. Once an attacker has taken over an account, they use that access to escalate privileges further or perpetuate other fraud. We've also seen digital supply chain attacks and complex attack chains where APIs are the initial or prime attack vector. Once attackers have obtained access via APIs, they abuse that access to compromise other systems or pivot within an organization's networks. The Microsoft Exchange Server attacks in March 2021 were a great example of this type of API attack.

About the Author(s)

Michael Isbitski

Technical Evangelist at Salt Security

Michael Isbitski is technical evangelist at Salt Security, helping to improve awareness and technical understanding in the area of API security. Prior to joining Salt Security, Michael was a senior director analyst at Gartner for Technical Professionals (GTP) within the Security Technology and Infrastructure team. He researched and advised on a range of application security and infrastructure security topics including API security, security testing, secure design, secure SDLC, application protection, container security, Kubernetes security, and secure continuous delivery. He has guided hundreds of organizations of all sizes globally in their security initiatives, across sectors and verticals. Additionally, Michael has over 20 years of hands-on practitioner and leadership experience in the fields of application security, vulnerability management, risk assessment, enterprise architecture, and systems engineering.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights