Your business depends on APIs, which are essential for contemporary digital experiences, encompassing everything from mobile applications and IoT devices to the rapidly evolving AI landscape. With more than 80% of internet traffic now routed through APIs — a number projected to rise significantly due to AI developments — their security is crucial. Unfortunately, this vital infrastructure faces growing attacks, with these threats being a real and current danger to many.

The remarkable increase in such incidents serves as a wake-up call: a majority, 64% of organizations, have encountered an API attack or security breach in just the past year. This widespread threat landscape understandably generates considerable concern regarding the protection of sensitive data.

This worry is felt across various sectors, as 87% of organizations acknowledge their unease about data governance and/or data exposure issues resulting specifically from insecure APIs. A frequent oversight intensifies the issue: many organizations believe they have far fewer APIs than they do, by an underestimated margin of 70-80%. This misjudgment leaves numerous APIs, including shadow or neglected ones, exposed, resulting in a large and often unseen attack surface that could lead to significant data breaches when compromised.

Let’s look at some real-world examples of what’s at stake:

• Meta (Facebook): In 2018, attackers exploited a vulnerability in Facebook’s “View As” feature, which interacted with the platform’s APIs. This compromised access tokens and exposed the personal data of approximately 29 million users, leading to a hefty €251,000,000 fine.
• PayPal: In late 2022, cybercriminals exploited weaknesses in PayPal’s systems, potentially involving API vulnerabilities. This breach led to unauthorized access to customers’ personal information, including Social Security numbers, resulting in a $2,000,000 fine.
• AT&T: A data breach in January 2023 affected 8.9 million AT&T wireless customers. While the specifics of API involvement weren’t fully disclosed, such breaches, especially those involving cloud vendors, frequently implicate API security lapses. The fine in this case was $13,000,000.

While these are prominent examples, numerous other API-related security incidents highlight the growing threat landscape:

• Optus: In 2022, the Australian telecommunications company suffered a major data breach where personal details of almost 10 million customers were exposed. Reports indicated an unauthenticated API was the entry point for the attackers.
• Twitter (now X): Also in 2022, a vulnerability in a Twitter API allowed attackers to access the phone numbers and email addresses of 5.4 million users, even if those users had hidden this information in their privacy settings.
• Peloton: Security researchers discovered in 2021 that Peloton’s APIs allowed unauthorized access to user data, including user IDs, age, weight, gender, and workout statistics, regardless of whether profiles were set to private.

These incidents highlight a crucial truth: traditional security measures are frequently inadequate for tackling the distinct challenges associated with API security. Edge solutions, such as CDNs and WAAPs, may provide only basic inspection or rely on signature/schema-based defenses, while CNAPP/CSPM tools offer merely partial coverage of cloud environments. Neither approach effectively counters complex API business logic attacks or offers comprehensive visibility and governance across all APIs, which includes those on-premise or within encrypted traffic.

The issue is exacerbated by the ever-changing nature of APIs, with 75% undergoing updates weekly. This swift pace of change, combined with a common underestimation of the total number of APIs within an organization, creates an ideal environment for attackers.

It is evident that a proactive and committed strategy for API security has become a fundamental requirement, not a luxury. Organizations need to:

• Discover and Create a Unified Inventory: Gain full visibility across all internal, external, shadow, and third-party APIs.
• Posture Governance and Compliance: Assess API risk, enforce security policies, and detect misconfigurations in real-time.
• Stop Behavioral API Attacks: Identify and block threats that exploit business logic or legitimate functionality, going beyond simple rules and signatures.

The threats are real, the stakes are high, and the time to act is now. Don’t wait for a breach to expose your vulnerabilities. Secure your APIs to protect your data, your customers, and your business.

If you want to learn more about Salt and how we can help you on your API Security journey through discovery, posture governance, and run-time threat protection, please contact us, schedule a demo, or check out our website.