Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label API Attack. Show all posts
leaked sensitive data
API API Attack API Keys API security Cyber Security data security government data breaches leaked sensitive data

ClickUp API Key Exposure Leaves Corporate and Government Email Data Public for Over a Year

 

A previously unnoticed weakness in ClickUp’s web infrastructure sat undetected - exposing private data due to an embedded API key left visible on its public site. For over twelve months, access to internal records remained possible because safeguards were missing at a basic level. Emails tied to businesses and official agencies could be pulled by outside parties; no login required. This gap emerged not from complex hacking but from routine coding oversights ignored during deployment. Hidden credentials like these often escape review until examined closely. Months passed before scrutiny revealed what should have been caught earlier. Security gaps of this kind stem less from advanced threats and more from everyday lapses repeated across teams. 

Open talk about the problem began when security analyst Impulsive shared findings showing the leaked credential sat inside a JavaScript file served by ClickUp's site, even before login steps occurred. Since code running in browsers can always be seen, grabbing the API key took little effort and allowed contact with internal servers. Without needing any special access, one basic query allegedly pulled close to a thousand emails plus vast numbers of hidden development settings from the system. The study showed that 959 employee email addresses were part of the leaked data, tied to staff in large companies and public institutions spanning various locations. 

About 3,165 feature flags also turned up in the exposure - visible without restriction. Hidden inside what looks like routine code, these flags might expose how teams test software, plan releases, roll out new tools, or shape future updates. Because of that, malicious actors might mine them to craft deceptive emails, manipulate individuals through tailored messages, or collect insights on rivals’ progress. Surprisingly useful intel often hides where it seems least likely. Early in 2025, news of the exposure surfaced - yet by April 2026, it still hadn’t been fixed, stretching out the time hackers could act. Because access stayed open so long, experts say attackers gained more chances to try breaking in using stolen login details, fake identities, or personalized emails targeting workers linked to the affected websites. 

What happened shows a wider issue for groups depending on cloud-based services. Though easy to avoid, fixed login details remain common in today’s coding practices. When secret access tokens appear in open-source repositories, bots usually find them fast - sometimes in under sixty seconds. Even low-level access codes can lead to large data leaks if internal systems lack strong verification rules. Rotating API keys often helps lower exposure over time. Client-side apps without embedded secrets tend to withstand attacks better. Strict limits on backend access form another layer of defense. 

Protection against phishing gains strength when using tools like DMARC, SPF, or DKIM. Unusual logins catch attention faster with constant tracking. Exposed domains become visible through active threat data streams. Security improves not by one fix alone, but steady adjustments across systems. A quiet mistake lingered unseen within ClickUp's system, revealing data widely before detection. When operations move into shared online environments, oversight gaps often emerge - making careful monitoring essential. Security lapses like this highlight growing pressure on organizations to act earlier, respond smarter, stay alert longer.
Read more »
Privacy
AI Chatbot API Attack Automated accounts CDN Cloudfare Data Fraud Firewall Privacy

Automated Bots Pose Growing Threat To Businesses

The capability to detect, manage, and mitigate bot-based requests has become of utmost importance as cyber attackers become more automated. Edgio, a company created by the merging of Limelight Networks, Yahoo Edgecast, and Layer0, has unveiled its own bot management service in response to this expanding threat. In order to compete with competing services from Web application firewall (WAF) providers and Internet infrastructure providers, the service focuses on leveraging machine learning and the company's Web security capacity to enable granular policy controls.

Bot management is not just about preventing automated attacks, but also identifying and monitoring good bots such as search bots and performance monitoring services. According to Richard Yew, senior director of product management for security at Edgio, “You definitely need the security solution but you also want visibility to be able to monitor good bot traffic.” In 2022, for example, the number of application and API attacks more than doubled, growing by 137%, according to Internet infrastructure firm Akamai. 

The impact of bots on businesses can be seen in areas such as inventory-hoarding attacks or ad fraud. As a result, bot management should involve all aspects of an organization – not just security. Sandy Carielli, principal analyst at Forrester Research noted that “bot management is not just about security being the decision-makers. If you're dealing with a lot of inventory-hoarding attacks, your e-commerce team is going to want to say in. If you're dealing with a lot of ad fraud, your marketing team will want to be in the room.”

Bot management systems typically identify the source of Web or API requests and then use policies to determine what to allow, what to deny, and which requests represent potentially interesting events or anomalies. Nowadays, 42% of all Internet traffic comes from automated systems — not humans — according to data from Imperva. To deal with this, Edgio inspects traffic at the edge of the network and only allows ‘clean’ traffic through its network. This helps stop attacks before they can impact other parts of the network. Content delivery networks (CDNs) such as Akamai, Cloudflare, and Fastly have also adopted bot management features as well.

Bot management is clearly becoming a more crucial issue for enterprises as automated attacks increase in frequency. Organizations require all-encompassing solutions to address this issue, involving teams from marketing, security, and e-commerce. Employing such technologies enables organizations to safeguard their resources from dangerous bot attacks while keeping track of reputable good bots. 


Read more »
Vulnerabilities and Exploits
API Attack Artificial Intelligence Chatbot Open Source Software Quantum computing Software Vulnerabilities and Exploits

ChatGPT's Effective Corporate Usage Might Eliminate Systemic Challenges

 

Today's AI is highly developed. Artificial intelligence combines disciplines that make an effort to essentially duplicate the capacity of the human brain to learn from experience and generate judgments based on that experience. Researchers utilize a variety of tactics to do this. In one paradigm, brute force is used, where the computer system cycles through all possible solutions to a problem until it finds the one that has been proven to be right.

"ChatGPT is really restricted, but good enough at some things to provide a misleading image of brilliance. It's a mistake to be depending on it for anything essential right now," said OpenAI CEO Sam Altman when the software was first launched on November 30. 

According to Nicola Morini Bianzino, global chief technology officer at EY, there's presently no killer use case for ChatGPT in the industry which will significantly affect both the top and bottom lines. They projected that there will be an explosion of experimentation over the next six to twelve months, particularly after businesses are able to develop over the top of ChatGPT utilizing OpenAI's API.

While OpenAI CEO Sam Altman has acknowledged that ChatGPT and other generative AI technologies face several challenges, ranging from possible ethical implications to accuracy problems.

According to Bianzino, this possibility for generative AI's future will have a big impact on enterprise software since companies would have to start considering novel ways to organize data inside an enterprise that surpasses conventional analytics tools. The ways people access and use information inside the company will alter as ChatGPT and comparable tools advance and become more capable of being trained on an enterprise's data in a secure manner.

As per Bianzino, the creation of text and documentation will also require training and alignment to the appropriate ontology of the particular organization, as well as containment, storage, and control inside the enterprise. He stated that business executives, including the CTO and CIO, must be aware of these trends because, unlike quantum computing, which may not even be realized for another 10 to 15 years, the actual potential of generative AI may be realized within the next six to twelve months.

Decentralized peer-to-peer technology mixed with blockchain and smart contracts capabilities overcome the traditional challenges of privacy, traceability, trust, and security. By doing this, data owners can share insights from data without having to relocate or otherwise give up ownership of it.



Read more »
Twitter Data Breach
API API Attack API security Data Breach Hacking PII Social Engineering Attack Twitter Data Breach

Twitter Data Breach Indicates How APIs Are a Goldmine for PII and Social Engineering


A Twitter API vulnerability that was detected in June 2021, and was later patched, has apparently been haunting the organization yet again. 

In December 2022, a hacker claimed to have access to the personal data of 400 million Twitter users for sale on the dark web markets. And only yesterday, the attacker published the account details and email addresses of 235 million users. 

The breached data revealed by the hacker includes account names, handle creation data, follower count, and email addresses of victims. Moreover, the threat actors can as well design social engineering campaigns to dupe people into providing them their personal data. 

Twitter: A Social Engineering Goldmine 

Social media giants provide threat actors with a gold mine of user data and personal information that they can utilize in order to perform social engineering scams. 

Getting a hold of just a user name, email address, and contextual information of a user’s profile, available to the public, a hacker may conduct reconnaissance on their targeted user and create phishing and scam campaigns that are specifically designed to dupe them into providing personal information. 

In this case, while the exposed information was limited to users’ information available publicly, the immense volume of accounts exposed in a single location (Twitter) has in fact provided a “goldmine of information” to the threat actors. 

The Link Between Social Engineering and API Attacks 

Unsecured APIs allow cybercriminals direct access to users’ Personally Identifiable Information (PII), such as username and password, which is captured when the user connects to any third-party service API. API attack thus provides threat actors with a window to collect large amounts of personal information for scams. 

An instance of this happened just a month ago when a threat actor leveraged an API flaw to gather the data of 80,000 executives throughout the private sector and sell it on the dark web. The threat actor had applied successfully to the FBI's InfraGard intelligence sharing service. 

The data collected during the incident included usernames, email addresses, Social Security numbers, and dates of birth of victims. This highly valuable information was utilized by the threat actors for developing social engineering dupes and spear phishing attacks. 

How to Protect APIs and PII? 

One of the main challenges faced while combating API breaches is how modern enterprises need to detect and secure a large number of APIs. A single vulnerability can put user data at risk of exfiltration, therefore there is little room for error. 

“Protecting organizations from API attacks requires consistent, diligent oversight of vendor management, and specifically ensuring that every API is fit for use […] It’s a lot for organizations to manage, but the risk is too great not to,” says Chris Bowen, CISO at ClearDATA.  “In healthcare, for example, where patient data is at stake, every API should address several components like identity management, access management, authentication, authorization, data transport, exchange security, and trusted connectivity.”

It has also been advised to the security team to not rely solely on simple authentication options like username and password in order to secure their APIs. 

“In today’s environment, basic usernames and passwords are no longer enough […] It’s now vital to use standards such as two-factor authentication (2FA) and/or secure authentication with OAuth,” says Will Au, senior director for DevOps, operations, and site reliability at Jitterbit. 

Moreover, measures such as utilizing a Web Application Firewall (WAF), and monitoring API traffic in real time can aid in detecting malicious activities, ultimately minimizing the risk of compromise.  

Read more »
Subscribe to: Posts (Atom)