API Security

Featured image for Identity and Authorization At Cloud Scale

Identity and Authorization At Cloud Scale

The future has a lot to answer for. For decades we’ve been promised super-cool inventions that we still haven’t received - flying cars, jetpacks and IAM platforms that provide security, scale and manageability- all with wrapped up with 21st century automation. George Jetson’s job had two settings ("Start" & "Stop") and the computer did the...
Read More
Featured image for When your modern IAM platform isn't modern: the case for authorization and identity microservices.

When your modern IAM platform isn't modern: the case for authorization and identity microservices.

By Nathanael Coffing, CSO and co-founder of Cloudentity A couple of weeks ago, a leading identity provider suffered a zero-day vulnerability that was immediately used maliciously to compromise financial, retail and healthcare customers.   The big question is— why was this "modern" IAM platform so appealing to security researchers and hackers alike, and how can we,...
Read More
Featured image for The Experian Credit Score Breach: What Happened and How to Prevent Future API Data Breaches

The Experian Credit Score Breach: What Happened and How to Prevent Future API Data Breaches

Last week, the public was notified about a pretty serious Experian API-related incident leading to the potential public exposure of credit scores for millions of Americans. What Went Wrong? Experian’s credit score API drew the attention of a security researcher Bill Demirkapi. It started innocently with him looking around for student loan options. He bumped...
Read More
Featured image for DoorDash Breach: 4.9 Million Customers and Merchants

DoorDash Breach: 4.9 Million Customers and Merchants

DoorDash, the folks who bring you your Big Macs and local fresh mex, disclosed that the personal data of 4.9 million customers, workers and merchants was compromised including names, email addresses, delivery addresses, order history, phone numbers, as well as hashed, salted passwords (it wasn't made clear what kind of algorithm they use to hash...
Read More
Featured image for YouTube Hack: When 2FA isn’t quite enough

YouTube Hack: When 2FA isn’t quite enough

Hackers targeted a number of high-profile, “influencer” YouTube accounts using a coordinated phishing attack. “Phishing” is where a notification (email, text, etc.) pretends to be the provider, leads the individual to a site that looks very, very much like the real site. Then they get the individual to enter valid credentials, which they steal and...
Read More
Featured image for Breach: Ticketing company Get exposes 50,000 Australian Students

Breach: Ticketing company Get exposes 50,000 Australian Students

For the second time, University ticketing company Get exposed student data by leaving it exposed through an unsecured API; we know the balance of security and convenience can slow down development, but to have the website use a completely unsecure API is unconscionable. A user on Redit was able to probe the API without any...
Read More
Featured image for Hacking the Provider: 14 Million Hostinger Accounts Exposed

Hacking the Provider: 14 Million Hostinger Accounts Exposed

Web hosting provider, Hostinger, alerted customers to unauthorized activity that gave someone (unknown) access to an API that contained 14 million customer usernames, email addresses, and passwords scrambled with the SHA-1 algorithm (which is more suspectable to a rainbow table attack and has been deprecated for a few years now). Credit is due to Hostinger...
Read More
Featured image for 90,000 German MasterCard Customers Data Posted in Breach

90,000 German MasterCard Customers Data Posted in Breach

GDPR will definitely bite MasterCard on a breach of 90,000 German customer's data including names, addresses and partial credit card numbers. And there are reports of an additional, unidentified list, circulating with full credit card numbers. As with other recent breaches, it appears a third-party vendor was trusted with the data, and then proceeded to...
Read More
Featured image for Breach: Unsecured Mongo database exposes 700,000 Choice Hotels

Breach: Unsecured Mongo database exposes 700,000 Choice Hotels

Choice Hotel's vendor had left open an unsecured MongoDB connection to a database containing 700,000 guests information including Full names, Addresses, Phone numbers and Email addresses. The hotel chain includes brands Comfort, Sleep Inn, Quality Inn, Clarion, Econo Lodge, Rodeway Inn and many more. As with yesterday's Biostar 2 Breach, developers didn't consider the http...
Read More
Featured image for Biostar 2 Breach: Fingerprints and Facial Recognition available on open API

Biostar 2 Breach: Fingerprints and Facial Recognition available on open API

A huge security hole exposed fingerprints of over 1 million people along with facial recognition information, unencrypted usernames and passwords, and employment details from Biostar 2, a biometric security platform made by South Korean based Suprema Inc.  that manages building access and physical security for thousands of companies worldwide. vpnMentor, a security test company, was...
Read More
Featured image for StockX “System Update” Revealed to be a Breach

StockX “System Update” Revealed to be a Breach

First StockX forced a password reset, telling customers it was due to a system update, now it turns out that not only were over 6 million user records exposed, but that data is for sale by hackers. Online shoe reseller, StockX abruptly forced all users to reset their passwords a couple weeks ago saying it...
Read More
Featured image for 2019 CafePress breach exposes 23 million users… What did we learn?

2019 CafePress breach exposes 23 million users… What did we learn?

This post looks back at the CafePress data breach of 2019, the compromised user data, how CafePress handled the breach, the resulting fall-out, and how consumers and companies can protect themselves from future hacks.  About the CafePress data breach  CafePress is a popular custom T-shirt and merchandise online retailer that was hacked, exposing the email...
Read More