API testing firm APIsec leaks customer data

APIsec, an API security testing company claiming to be used by 80% of Fortune 100 companies, was leaking data through an internal Elasticsearch database that was left connected to the internet without password protection. 

The database, containing over three terabytes of data generated through monitoring customers' APIs for security weaknesses, was discovered by security research firm UpGuard on March 5, 2025.

UpGuard detected the exposed database on the morning of March 5th, 2025. After analyzing its contents and determining its significance, they promptly notified APIsec via email. The database was secured the same day.

The unprotected database contained extensive information dating back to 2018, including:

• Configuration information for private scanning instances
• Scan results: Detailed reconnaissance information about customers' API endpoints and security tests being performed
• System credentials: Including:
  • AWS access keys and secret keys
  • Slack account credentials
  • GitHub account credentials
  • Configuration data for 3,772 APIsec scanning instances
• Personal information:
  • Customer names and email addresses
  • Company names and plan types
  • SSO and MFA configuration status
  • In one case, personal information of 224 nail salon technicians, including names, email addresses, mobile phone numbers, and bcrypted passwords
• Customer account metadata and contact information

The number of affected individuals have not been disclosed.

The largest index, "fx-testsuite-responses-lob," contained over 99 million entries using two terabytes of storage space. The database included multiple indices with scan data spanning from 2018 to 2025, with verbose API test responses including information for many inputs and outputs against endpoints.

When contacted by TechCrunch, APIsec founder Faizel Lakhani initially downplayed the incident, claiming the database contained only "test data" for debugging purposes and that "no customer data was in the database." However, when presented with evidence of leaked customer information, Lakhani changed his position, acknowledging the company had conducted an investigation and subsequently notified affected customers.

The company attributed the exposure to "human mistake" rather than a malicious incident. Regarding the exposed AWS keys, APIsec stated they belonged to a former employee who left the company two years ago and were disabled upon their departure, though it remains unclear why these credentials remained in the database.

APIsec claims to have notified customers whose personal information was exposed, though the company declined to provide a copy of the data breach notice allegedly sent to customers or to comment on whether they plan to notify state attorneys general as required by data breach notification laws.