Chief Product Officer of SpyCloud, a leader in operationalizing Cybercrime Analytics (C2A).
In January 2023, a large telecommunications company suffered a breach, compromising over 37 million customer accounts. The criminals responsible gained access to an array of personally identifiable information (PII) from the exposed accounts, including billing addresses, emails and birthdays. The preliminary result from the SEC investigation of the breach indicates that the “bad actor” obtained the data from an application programming interface (API).
APIs are commonly used bridges that allow different software programs to communicate with each other. Just as direct messages between two people hold valuable information, APIs are often a treasure trove of PII, from usernames and passwords to sensitive information such as credit card numbers and even no-fly lists.
Further, APIs are granted significantly more permissions than user-facing programs to ensure applications communicate smoothly behind the scenes. As such, they can also provide access to the systems they’re connecting, such as banking and payment processing systems, cloud storage and code repositories.
In 2023, Gartner analysts correctly forecasted that APIs would become a priority attack vector for criminals. The threat persists despite organizations’ ongoing attempts to combat data exposure with multifactor authentication (MFA) and passkeys. Endpoint and identity security solutions are a step in the right direction, but more is needed. Criminals have evolved tactics to target more profitable initial access via APIs.
Fixing The Wrong Problem
There are several common ways that organizations expose their APIs to criminals. Often, software or security teams simply forget to remove API keys from code or documentation, accidentally making them public, or there may be inherent security vulnerabilities in the code itself that criminals can crack. However, the most common way criminals get their hands on API keys is when the keys are stolen through malware.
Here’s an analogy: If a person checks into a hotel, they must go through multiple levels of identity verification before gaining access to a hotel room. Initially, the individual must stop at the front desk and provide a name, driver’s license and credit card. The front desk confirms that this is the person who made the reservation and grants them a room key. This is the authentication layer protecting the hotel and its resources.
The new hotel keycard now grants various levels of access: the individual’s room, the elevator to get to different floors, facilities like the gym and pool, and potential access to breakfast or other amenities. If a person’s keycard is stolen, it doesn’t matter what authentication process occurred at the front desk. The card is now the problem—and that room and other “systems” within the hotel are compromised. You can think about API keys as the keycard to critical organizational services.
Unfortunately, cybercriminals are more sophisticated than pickpockets and have automated programs that allow them to copy API keys and distribute them to other criminals. To reduce the risk of exposure through APIs, organizations need a plan that includes rotating exposed, active API keys and addressing the infection that stole them in the first place.
Take Action Now
Although overlooked by many as a threat vector, it’s critical to acknowledge that API key theft is a growing concern. Organizations often overlook API key theft because they’re unaware that malware packages have evolved to a level of sophistication that allows bad actors to identify and harvest these important assets.
One simple way to reduce the risk of exposure through APIs is cycling or changing an organization’s API keys when they’ve been exposed to malware, so they’re no longer valid, as well as regularly—say, every six months or so, depending on the sensitivity of your data. Breaches and leaks are unavoidable in today’s world, and once API keys have been exposed, rotating them is crucial.
Remediating the malware infection that exfiltrated the API key is also essential. Traditional malware remediation is often done by wiping exposed devices. However, this doesn’t account for the data or resources infostealers have already stolen, such as API keys.
If these keys remain active, it doesn’t matter if the initial infected device is remediated; the API keys can still be used for follow-up attacks against the business. Therefore, security teams should focus on a post-infection remediation approach that addresses all stolen data, from API keys to cookies to passwords.
To do this, organizations need a way to know what data has been stolen. By implementing security tools that allow proactive monitoring of the darknet for exposed data, companies can identify stolen API keys and remediate them before they’re used for additional cyberattacks. Individual users can also use free dark web monitoring tools to check their exposure and change any compromised PII data, including emails and passwords.
Conclusion
API keys can no longer be ignored when protecting businesses from crippling and costly cyberattacks. The increasing number of malware attacks targeting APIs means that leaders must start paying attention to the threat or risk potentially significant financial and reputational damage. Organizations should take actions like revoking and reissuing compromised API keys, monitoring the darknet for API exposures and implementing a post-infection remediation approach to stop criminals before they have a chance to use stolen API keys to cause harm.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
