CyberSecurity news
@upguard.com
//
API security testing firm APIsec exposed an internal database to the internet without a password, potentially compromising customer data. The database contained customer info and other data generated while monitoring customer APIs for security weaknesses, according to researchers at UpGuard, who discovered the exposed database on March 5th, 2025. UpGuard notified APIsec, and the database was secured the same day. APIsec claims to be used by 80% of the Fortune 100.
The exposed Elasticsearch database contained over three terabytes of data, including configuration information for private scanning instances, results of API scans for customers’ endpoints, and personal information for users collected during scanning. This data provided extensive information about the attack surfaces of APIsec's customers. The database contained indices for executing the APIsec test suites against customer APIs and storing the results, with data spanning from 2018 to 2025.
The APIsec platform helps companies secure their APIs by running tests for common weaknesses. The exposed data included information about which tests were being performed, allowing attackers to potentially look for issues not being tested. The index "fx-accounts" included usernames and credentials for services like AWS, Slack, and GitHub. The index "fx-clusters" contained configuration data for APIsec scanning instances, some of which contained the same AWS access key as the record in "fx-accounts."
ImgSrc: cdn.prod.websit
References :
- Zack Whittaker: New: API security testing firm APIsec exposed an internal database to the internet without a password. The database contained customer info and other data generated while monitoring customer APIs for security weaknesses, per researchers at UpGuard, which found it.
- techcrunch.com: API testing firm APIsec exposed customer data during security lapse
- www.upguard.com: Watching the Watcher: How a Security Company Leaked Customer Data | UpGuard
- CyberInsider: Security Firm APIsec Exposed 3TB of Sensitive Customer Data
Classification:
- HashTags: #DataBreach #APIsecurity #SecurityLapse
- Company: APIsec
- Target: APIsec customers
- Product: APIsec
- Feature: Database Exposure
- Type: DataBreach
- Severity: Major