Have you ever logged into a website or an app with your Facebook login information?
You were able to do this because that site or app used a Facebook API.
While APIs are convenient, small coding errors can mean enormous risks.
Small- and medium-sized businesses, in particular, may rely more heavily on APIs than they know.
What Is An API?
An application programming interface is most commonly known as an API.
Each API is a set of standard instructions for accessing web-based applications. Software developers can use these APIs to create products and services powered by the API.
API sprawl is a growing issue, according to a Ping Identity survey in late 2018. More than half of respondents said their company has at least 400 APIs. However, just under half said they weren’t confident that they could detect an API breach, and about half said they don’t think they know their security team even knows about all of their APIs.
Those staggering numbers may explain some of the biggest API breaches in history.
Takeaways From Famous API Breaches
1. Panera Bread
An unauthenticated API endpoint is to blame for the leakage of around 37 million Panera Bread customer records, reports CSO. The information included personally identifiable information and login credentials. A security expert warned Panera of the issue, but Panera ignored it for around eight months.
Takeaway for SMBs: If a security alert comes from a credible source, verify the alert immediately. At best, it’s false. At worst, you hand over your customers’ valuable data to bad actors.
A number of high-profile Salesforce Marketing Cloud customers may have experienced some data loss in the summer of 2018 due to a faulty API, according to ZDNet. That’s because a code change in an update is said to have caused API calls to improperly retrieve or write data.
Unlike the Panera example, this issue was only live for around a month, and was patched on the same day.
Takeaway for SMBs: If an issue is discovered, take swift action. Further, this example shows that as SMBs rely more on web platforms for CRM and marketing automation, the potential exists for these types of issues.
Ars Technica reported that nearly 50 million Facebook accounts were affected by a data breach that exploited three bugs in Facebook’s code. Facebook’s APIs were queried, but it was unknown whether any private information had been exposed. The breach could also have allowed attackers access to Facebook’s single sign-on API, exposing potentially even more data.
Takeaway for SMBs: Many SMBs rely on Facebook to do business today because of its massive reach. However, SMBs must also realize that reach exposes Facebook—and their own business—to potential API threats. Think about reducing reliance on Facebook as a core part of your business.
4. United States Postal Service
If you had a USPS.com account, Brian Krebs said you also had the potential to see 60 million other accounts, as well.
A weakness in the API failed to shield visibility into real-time packages and mail traveling throughout the country.
The issue was initially found a year before it was fixed.
Takeaway for SMBs: API breaches aren’t just targeted at your business. They can affect critical components of your supply chain, as well.
SMBs must keep tabs on their own APIs, and be alert of the status of the other APIs they rely on. Include a regular API audit in your cybersecurity protocols.