The Impact of API Breaches

An Akamai research study found that threat actors carried out 108 billion API attacks from January 2023 to June 2024. Granted, not all of them were successful. But those that were became API breaches.

The number of API incidents has been growing for some time now and has never been higher than in 2023, according to Imperva’s “The Economic Impact of API and Bot Attacks” report.

As a result of this upward trend, we’ve reached a point where we suffer an annual API-related global loss of USD 35–87 billion—strong evidence of the destructive impact of API breaches.

This article brings up and answers four questions:

• What are the different types of impact of API breaches?
• Who is most at risk of an API security breach?
• Why are APIs such an appealing target?
• How does Equixly help?

What Are the Different Types of Impact of API Breaches?

There are five types of impact of API breaches:

1. Direct Financial Loss

This type ranges from theft of crypto or traditional currency to ransomware extortion following an exploited vulnerable API.

An example of direct financial loss was the Kronos Research hack in 2023. A threat actor stole cryptocurrency worth $26M by gaining unauthorized access to Kronos Research’s API keys.

2. Data and Privacy Exposure

When malicious actors scrape or leak sensitive information, such as phone and credit card numbers, or APIs expose excessive data in their responses, you suffer data and privacy exposure.

An example is the 2023 T-Mobile data breach. In this security incident, a threat actor stole the private data of 37M T-Mobile customers by abusing a poorly configured API.

3. Operational Disruption

Operational disruption includes incidents such as forced service and power outages and DDoS resulting from abused APIs.

An example is the Apple API abuse in which a sneaker cook group exploited a shadow API during the launch of a new, highly anticipated sneaker.

The cook group sent over 100 million malicious API requests that caused a temporary service outage, thus preventing others from being able to order the newly launched sneakers.

4. Supply Chain Risk

Vulnerable integrations, insecure dependencies, and lateral movement through third-party attacks all fall within supply chain risk.

One of the most terrifying examples is the 2022 Sandworm attack on Ukraine’s power grid.

The infamous hacker group managed to open circuit breakers in an electrical substation through an API interface in a third-party component. The targeted component was the MicroSCADA X DMS600 control system, and the consequence of the attack was a massive power outage.

5. Reputational Damage

Reputational damage includes an incident fallout like a lawsuit resulting from non-compliant APIs leaking data and customer churn following a data breach.

A real-life example is the Optus data breach—one of the worst API security incidents ever. The Australian telco suffered a lawsuit and non-compliance charges following a data theft that affected over 11.2M customers.

The attacker accessed the customer data through an undocumented, unauthenticated, publicly accessible API endpoint.

Who Is Most at Risk?

A key finding of the “The Economic Impact of API and Bot Attacks” report was that the risk of an API breach is proportional to the size of the organization.

Large enterprises (>$100B in revenue) are most susceptible to API incidents, followed by mid-range ($500M–$100B) and small enterprises (<$500M).

Two factors can explain this situation:

• Larger enterprises rely more on APIs and operate with more valuable data than their smaller counterparts.

  “The 2022 API Security Trends Report” by 451 Research revealed stunning information: Large enterprises used as many as 25,592 APIs on average.

  A principal drive behind the proliferation of APIs is the need for a more extensive data exchange between disparate systems. Thus, it shouldn’t come as a surprise that malicious actors are after the data in large information environments housing gazillions of APIs.

• Larger enterprises use bigger and more complex APIs than smaller enterprises.

  Bigger and more complex APIs mean a wider API attack surface, which implies potentially more security problems and oversights.

  These do not have to be flagrant violations of good security practices. Issues like inadvertent misconfigurations or unnoticed API logic flaws can lead to a terrible business impact as well.

As an extra curiosity, mid-range enterprises are most prone to cyberattacks combining bots and API vulnerabilities.

Why Are APIs Such an Appealing Target, and How Does Equixly Help?

There are four main reasons why APIs have become a primary target for malicious actors.

1. Unsuitable Security Mechanisms

By unsuitable security mechanisms, we mean API gateways and WAFs (web application firewalls). Ethical hackers and cybersecurity experts like Alissa Knight have repeatedly warned and shown that gateways and WAFs are insufficient as API security mechanisms and leave your APIs widely exposed to cyberattacks.

Due to their unique role in modern development and application architecture, APIs require solutions tailored to their specific nature. While gateways and WAFs can play a supplemental role, specialized cybersecurity solutions are indispensable for securing APIs.

Equixly is precisely that: a specialized API security platform that applies automation and artificial intelligence to address security issues specific to the API realm.

2. Direct Access to Critical Business Functions and Sensitive Data

As crucial interlinking interfaces, APIs connect critical components in modern business software environments and operate with invaluable business-sensitive and private data. As such, they cut costs and time for hackers to carry out a data breach attack or cause damage to the underlying system.

Equixly’s proprietary AI engine allows the platform to understand business logic flows and find exploitable flaws in them. In addition, it scans for sensitive data passing through your API endpoints and performs data classification, helping with vulnerability prioritization.

3. Under-Secured API Deployment

APIs involve quick deployment, allowing fast app development and dramatically decreased time-to-market. Because of this quality, they play a fundamental role in the race for competitive advantage in a wildly dynamic business climate.

However, the quick deployment pace does not go hand in hand with proper and well-tested security measures (and this is an understatement).

Threat actors, being aware of that, probe APIs first—instead of taking the longer and more complex traditional route to penetrating systems—knowing that access to sensitive business functions and data is only one overlooked API vulnerability away.

Equixly helps you address this problem by integrating API security testing and automated penetration testing early into the software development life cycle. That way, you can eliminate or minimize security vulnerabilities on time, have controlled API deployment, and avoid expensive late-stage risk remediation.

4. API Sprawl

The unchecked proliferation of APIs in an information environment is an awfully common phenomenon. It results in the lack of visibility where unknown and undocumented APIs are sitting abandoned and uninventoried, waiting for someone, ironically threat actors, to find them.

To make things worse, these invisible APIs are usually less secure than their visible counterparts, increasing the risk even further.

By discovering shadow API endpoints, Equixly allows you to build a complete inventory of your APIs and enhance visibility—one of the most acute problems in cybersecurity.

Conclusion

This article argued the following points:

• Insecure APIs have the potential to cause critical damage to organizations.
• The larger the enterprise, the higher the chances of API breaches.
• Inappropriate security mechanisms, unmediated access to key business functions and sensitive data, lightly secured API deployment, and API sprawl are four main factors why APIs are such an attractive target for malicious actors.
• Equixly allows you to address these four factors as a purpose-built API security platform that uses automation and AI to detect business logic vulnerabilities, conduct data classification, test your APIs in development, and find undocumented API endpoints.

Reach out to learn more about how we can help your organization secure its APIs.

Carlo De Micheli

Director of Product Marketing

Carlo is a versatile professional with extensive international experience. His enthusiasm for innovation extends across cybersecurity, automotive, and aerospace, where he actively engages in pioneering projects. Holding a technical background in aerospace engineering and supplementing it with independent studies in programming and security, Carlo has organized and presented at international conferences and established tech startups related to the sharing economy and fashion before embracing marketing and sales.

Zoran Gorgiev

Technical Content Specialist

Zoran is a technical content specialist with SEO mastery and practical cybersecurity and web technologies knowledge. He has rich international experience in content and product marketing, helping both small companies and large corporations implement effective content strategies and attain their marketing objectives. He applies his philosophical background to his writing to create intellectually stimulating content. Zoran is an avid learner who believes in continuous learning and never-ending skill polishing.