Question: What happens to my organization if APIs are compromised or abused?
Michael Isbitski, technical evangelist, Salt Security: Impacts from API abuse include the obvious answers of data breach and brand damage, but security practitioners are wrestling with many more concerns. The $700 million Equifax settlement that was the result of API abuse has become a measurement for potential business impact. Observing recent API security incidents, some of the biggest impacts included data loss, privacy erosion, account takeover, fraud, and supply chain compromise.
Data loss is rampant in cases where APIs do not enforce sufficient authentication and authorization, a common mistake that organizations make when relaxing access controls to promote API adoption. We've also seen numerous scraping incidents where malicious actors harvest data en masse via APIs, even for APIs that require authentication. Recent scraping examples include the API incidents at Facebook and LinkedIn, as well as the incidents with Experian and Peloton, where the potential for mass scraping was disclosed early by security researchers. While the company line for victim organizations is often that these incidents do not fit the definition of a data breach, regulatory language can differ, and privacy impacts to customers are clear.
Attackers also abuse APIs with brute-forcing and credential-stuffing techniques with the goal of compromising user credentials or account takeover (ATO). The concern over ATO is common in all industries, but it hits financial services and financial technology particularly hard. Once an attacker has taken over an account, they use that access to escalate privileges further or perpetuate other fraud. We've also seen digital supply chain attacks and complex attack chains where APIs are the initial or prime attack vector. Once attackers have obtained access via APIs, they abuse that access to compromise other systems or pivot within an organization's networks. The Microsoft Exchange Server attacks in March 2021 were a great example of this type of API attack.