Hackers abuse API popularity to break into accounts and steal data

(Image credit: Shutterstock)

Application Programming Interfaces (API) are one of the pillars of today’s blazing fast, interconnected web apps, cloud-based solutions, and internet sites.

However this popularity also means APIs are often shipped out without proper safeguards and contingencies, making them a huge risk factor for the cybersecurity of different organizations.

Now, a new report has claimed hackers have been paying attention, and are increasingly targeting APIs in their malicious campaigns.

Malicious bots everywhere

A new report from Imperva has found almost three-quarters (71%) of all internet traffic today is done by APIs. Furthermore, the average enterprise had 1.5 billion API calls last year. 

Aware of the advantages APIs can give a business, organizations are rushing to deliver as many digital services as they can, as fast as they can. An organization has, on average, 613 API endpoints in production these days, the researchers said.

This also makes them a risk. The good news is that businesses are aware, and many are adopting shift-left frameworks and SDLC processes to safeguard their products. However, in many cases, APIs are moved into production without proper audits, quickly becoming a security risk. 

Hackers, on the other hand, have been paying attention, and are increasingly abusing APIs in their efforts to steal sensitive data from organizations. Among different industries, organizations in financial services and online retail have had most API calls last year, and thus, have also had most API-related attacks. 

Most of the time, hackers would abuse API endpoints in Account Takeover attacks (ATO), the researchers said. Last year, almost half of all ATO attacks (45%) were against vulnerable API endpoints. To make matters worse, these attacks are rarely done manually. Instead, countless malicious bots run automated tasks, logging into vulnerable accounts, grabbing sensitive data, and more.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.