API Security and Data Exposure: 8 Principles to Know

What is API exposure? And does it pose a problem? Ultimately, all APIs will convey a certain amount of information. But if they share too much data, then they can pose a serious security risk. This is known as API excessive data exposure.

In 2023, 50% of organizations reported data breaches due to API vulnerabilities, making APIs a major cybersecurity risk for any company. Why? Excessive data exposure in API can have serious ramifications, from loss of sensitive information to a damaged brand reputation, to a negative user experience, and more.

In this guide, you’ll learn the consequences of sensitive data API exposure, and discover some real-time solutions to reduce the risk.

1. What is API exposure?

API exposure is when an application programming interface (API) is visible to ecosystems outside its environment.

This is a normal and important function, as APIs allow different systems to communicate with each other. Any online system will have a degree of API exposure.

However, API exposure needs to be carefully controlled and monitored, with the right API security measures in place. Otherwise, there’s a high risk of excessive data exposure.

2. What is excessive data exposure in API?

Excessive data exposure in API is when the API reveals more data than necessary to fulfill its role.

(In other words, it over-delivers!)

For example, API data exposure could mean…

  • Exposed data which includes sensitive information or data objects, such as login details
  • Data might not be encrypted—especially in logs, networks, and databases—making it easy to intercept API requests

Before we explore the consequences and solutions of excessive data API exposure, here’s some quick terminology to keep in mind.

What is sensitive data exposure?

Sensitive data exposure is when important system and user data is visible to unauthorized parties. These data leaks could include personally identifiable information (PII), such as full names or email addresses. This is known as API PII exposure.

What is API vulnerability?

API vulnerability refers to any flaw or weakness that could compromise the security, integrity, or availability of an API schema. Let’s look at this in more detail in the next section.

3. How are applications vulnerable to data exposure?

Applications are at risk of data exposure when they don’t have the right security measures in place. This is especially the case when it comes to using APIs, as this is the point where information is typically transferred between systems.

But how exactly do they pose a security risk? The Open Web Application Security Project (OWASP) Foundation has found the answers.

The ‘OWASP API Security Top 10’ initiative

The OWASP API Security Top 10 is a nonprofit initiative that has identified the top 10 security risks for APIs.

  1. API1: 2023 – Broken object level authorization: When API endpoints are exposed, leading to access control issues.
  2. API2: 2023 – Broken authentication: When attackers can bypass the usual permissions, such as through API key exposure, and pretend to be another user.
  3. API3: 2023 – Broken object property level authorization: When there is excessive data exposure and oversharing, leading to information being exposed or manipulated.
  4. API4: 2023 – Unrestricted resource consumption: When attackers can overwhelm a system with API requests, leading to Denial of Service (DoS) attacks or increased running costs.
  5. API5: 2023 – Broken function level authorization: When an API has unclear access control policies, leading to authorization flaws.
  6. API6: 2023 – Unrestricted access to sensitive business flows: When pathways (such as making a purchase or sharing a comment) can be easily overwhelmed and flooded.
  7. API7: 2023 – Side server request forgery (SSRF): When API responses are triggered without the correct user validation.
  8. API8: 2023 – Security misconfiguration: When an API isn’t encoded with the correct security best practices, making it vulnerable to attacks.
  9. API9: 2023 – Improper inventory management: APIs have more endpoints exposed than web applications, meaning that deprecated versions or bugs could easily be missed over time.
  10. API10: 2023 – Unsafe consumption of APIs: Integrated third-party services that are used alongside APIs can be exploited, as they tend to have lower security standards.

All of these top 10 security risks can compromise API systems and lead to excessive data exposure.

4. What are the consequences of API exposure?

Excessive data exposure—whether by human error or through concerted API attacks—can have devastating consequences for any business or organization.

  • API sensitive data exposure: Important information, such as PII, could be leaked to unauthorized users or cybercriminals
  • Downtime in operations/services: The API system could be disrupted or halted, affecting the whole customer experience as well as disrupting operations and generating financial losses
  • Negative brand reputation: Loss of data could lead to fines, lack of trust, and negative publicity for any business
  • High recovery costs: Deploying recovery and security measures can be time-consuming and expensive
  • Legal and financial consequences: Companies could face fines and legal action when data is compromised (more on this in the next section)

5. Which data laws should I be aware of?

Excessive data exposure API risk doesn’t just affect brands—it can also lead to long-term legislative consequences. Here are some of the main data privacy laws that could be involved.

  1. General Data Protection Regulation (GDPR): Known as ‘the toughest privacy and security law in the world’, the GDPR was created in 2018 for any organization that targets or collects people’s data in the EU.
  2. Health Insurance Portability and Accountability Act (HIPAA): A US law passed in 1996 intended for healthcare providers and organizations to protect patient data confidentiality.
  3. California Consumer Privacy Act (CCPA): A US law passed in 2018 to ‘give consumers more control over the personal information that businesses collect about them.’

Laws like these exist to keep people safe and to hold organizations accountable for how they use sensitive information. With the rise of API usage and the digitization of modern society, the risk of private data being leaked is only increasing, making these regulations more relevant than ever.

And even large brands aren’t immune…

6. What are the top 5 API data exposure incidents?

Let’s explore some real-life use cases of what happens when this data is compromised via API pathways.

T-Mobile

In 2023, T-Mobile experienced a breach due to an unauthorized intrusion into a single Application Programming Interface (API). The initial compromise of the API occurred back on November 25, 2022. The breach was confirmed by T-Mobile to affect around 37 million accounts, though they asserted no delicate details including financial records, passwords, credit card data, social security details, or other fiscal account specific data were disclosed.

Dropbox

In 2022, cybercriminals used a phishing email to get access to 130 of Dropbox’s internal GitHub code repositories, including API keys. Fortunately, user data was not compromised, but Dropbox had to bring in an external forensic team and report the incident to law enforcement.

Twitter

Earlier in 2022, the user data of 5.4 million Twitter profiles was sold on a hacking forum, after cybercriminals accessed the data through an API vulnerability. Hackers could ask the API to identify which phone numbers and emails were associated with certain accounts.

Optus

Also in 2022, attackers found an Optus API endpoint with no authentication required. From here, they could access sensitive information for 11.2 million people, including customer driver’s licence numbers, birth dates, and home addresses, with a cost of over $140 million.

Facebook

In 2018, it emerged that attackers had been able to exploit an API vulnerability connected to Facebook, affecting 50 million users. There was a loophole that enabled hackers to take someone’s access token, allowing accounts to be taken over.

7. What can we expect from API data exposure this year?

As we’ve seen, no brand is immune to excessive data exposure in API, and the security risk of APIs is only increasing.

Here’s why.

  • Artificial intelligence is creating new vulnerabilities: Queries being run between APIs and AI could inadvertently lead to sensitive information being shared
  • API data breaches are on the rise: 60% of organizations have suffered an API data breach in the past two years
  • However, API security still isn’t a priority: Only 11% of companies have an API security plan in place

This data shows that despite the growing threat of API attacks and excessive data exposure, and the devastating long-term consequences they pose, few companies have the right measures in place to counteract the risk.

Here’s what you can do to be different.

8. How can I reduce the risk of API exposure?

If you want to protect your brand reputation, finances, supply chain integrity, and user experience, then reducing the risk of excessive data exposure through API is essential.

Here are several best practices to protect your organization.

Invest in API discovery

API discovery is all about uncovering any unmonitored, shadow, or vulnerable APIs in your system. By knowing all your assets inside out, you can detect API data exposure risks before they happen, and proactively put measures in place to keep them safe.

For example, you could use effective asset management techniques to deploy, maintain, and remove these API channels at the perfect time.

Prioritize load balancing and rate limiting

When developers spread traffic across several different servers, and limit how many actions people can run, they can ensure that the API service continues to run effectively.

These two measures will reduce latency and runtime, and make it harder for attackers to overwhelm a system with too many API requests.

Review your authentication measures

Deploying effective validation and authentication measures will mean that only authorized people can interact with the API. This reduces the chances of sensitive data being exposed to the wrong person.

Also, your authorization protocols should be regularly audited and reviewed for any loopholes or bugs that could turn into a vulnerability later down the line.

Justify the PII you process

Before collecting any information for your system, ask yourself, “Do we really need to process this data?”

Focusing only on the essential data will reduce your attack surface (your potential of being a victim of cybercrime), as there is less sensitive information for hackers to exploit.

Optimize your API schemas

Review all of your API responses to make sure they aren’t delivering more information than necessary. You should also review all your error messages to ensure that they aren’t delivering additional data. By optimizing all of your API schemas, you can avoid letting sensitive information slip through unnecessarily.

Conclusion

Excessive data exposure through APIs can have catastrophic consequences for any brand. And the potential for data breaches is only increasing, as shown through the OWASP API security initiative.

But with the right cybersecurity measures in place, and with a boost from external attack surface management tools like CybelAngel, you can safeguard your systems and proactively take steps to protect all the sensitive data you process.

Interested in catching up with the rest of the blogs in this series?

1: What is API Security? Here’s Everything You Need to Know

2: API Attacks: Understanding and Protecting Your Infrastructure

3: What are the Key Benefits of API Discovery?

That is it for this blog.