
APIsec, a prominent API testing firm catering to Fortune 500 companies, recently faced scrutiny after an unsecured internal database containing sensitive customer data was exposed on the internet.Â
The company has since secured the database, but the incident highlights fundamental concerns around API security and data protection.
On March 5, cybersecurity research firm UpGuard discovered an APIsec database exposed without password protection.Â
This database, which remained publicly accessible for several days, contained records dating back to 2018, including:
Notably, the database also contained sensitive information, including AWS private keys and credentials for Slack and GitHub accounts.Â
According to APIsec, these credentials belonged to a former employee and were reportedly disabled upon their departure two years ago. However, questions remain about why such critical information was left in the database.
When initially contacted by TechCrunch, APIsec’s founder, Faizel Lakhani, downplayed the incident, claiming the exposed database contained only "test data" and not customer data and labeled it as a "human mistake."Â
APIsec has since informed affected customers about the exposure but declined to confirm whether they plan to notify regulatory authorities, as required under state-level data breach notification laws. The company has not made the breach notification sent to customers publicly available.