API test company APISEC He confirmed that she got an open internal database containing customer data, which was connected to the Internet for several days without a password.
Store the open APISEC database, records dating back to 2018, including names and email addresses for its customer employees and users, as well as details about the security position of the corporate customers in APISEC.
A large part of the data has been created by APisec because it monitors its customer applications programming facades to obtain security weaknesses, according to Upguard, the security research company that found the database.
Upguard found the data leaked on March 5 and informed APISEC on the same day. APISEC secured the database shortly after.
APISEC, which claims to have worked with Fortune 500 companies, tops itself as a company that tests applications programming facades for its different customers. Application facades allow two or more orders on the Internet to communicate with each other, such as the background systems with users who reach its application and website. The unsafe application programming facades of sensitive Siphon data can be used from the company’s systems.
in Report published now,, Which was shared with Techcrunch before its release, Upguard said that the open data included information about the surfaces of the attack for APISEC customers, such as details if the multi -factor authentication has been enabled at the customer’s expense. Upguard said this information can provide a useful technical intelligence for a malicious opponent.
When it was reached to comment by Techcrunch, the founder of Apisec Faizel Lakhani initially reduced safety, saying that the database contains “test data” used by APISEC to test and correct its product. Lakhani added that the database was “our production database” and “there is no customer data that was in the database.” Khani confirmed that exposure is due to a “human error”, not a malicious accident.
Khani said: “We have quickly closed the audience. The data in the database are not useable,” Khani said.
But Upguard said it had found evidence of information in the database related to the clients of the real world from the APISEC, including the results of the exams from the end of the end of its customer applications interface for safety issues.
Upguard said the data also included some personal information for its customer employees and users, including names and email addresses.
Lakhani retreated when Techcrunch was provided with the company’s evidence of the leaked customer data. In a subsequent email, the founder said that the company completed an investigation on the Upguard report and “returned and re -investigated again this week.”
Lakhni said that the company later informed the customers whose personal information was in the database that could have been accessed to the public. Lakhani will not provide Techcrunch version, when asked, a copy of the data breach that the company has been sent to customers.
Khani refused to comment more when asked whether the company was planning to notify the state’s public lawyer as required by the laws of notifying data breach.
Upguard has also found a set of special keys for AWS, accreditation data for the Slack account and Github in the data set, but the researchers were unable to determine whether the credit data is active, as the use of accreditation data without permission will be illegal. Apisec said that the keys belong to a former employee who left the company two years ago and was suspended when he left. It is not clear why AWS keys are left in the database.
https://techcrunch.com/wp-content/uploads/2022/03/keys-red-lock-key-1.jpg?resize=1200,800
Source link