Team Traceable
Cybersecurity Roundup for January 2023: T-Mobile data leak, CircleCI vulnerability, rampant API automotive exploits possible, AWS Vulnerability, and Cryptotheft by API
This year began with API attacks leading the way as the top vector for data breaches. The entire month they have dominated the news cycles with stories of how hackers stole the data of tens of millions of people — yet again.
In fact, last month, Traceable’s Chief Security Officer, Richard Bird, predicted this would happen. And lo and behold, not three weeks went by in January, and here we are.
T-Mobile Data Breach: The API Security Reckoning is Here
On Thursday, January 19th, T-Mobile disclosed their latest data breach that has impacted approximately 37 million of their customers. Traceable’s Richard Bird did an analysis which you can read here.
It was only months ago that T-Mobile entered into a $350 million class action settlement that resulted from their 2021 data breach of personal data – that one affecting 77 million of their customers. As part of that settlement, the company committed to spending an additional $150 million to address its cybersecurity gaps.
And yet, here we are, again.
“We are currently in the process of informing impacted customers that after a thorough investigation we have determined that a bad actor used a single Application Programming Interface (or API) to obtain limited types of information on their accounts.”
But what made this data breach particularly bad was T-Mobile’s response — or lack thereof.
Apparently, the bad actor had access to this particular API for approximately 6 weeks. A lot can happen in that amount of time.
According to their 8-K SEC filing, they stated that the bad actor first retrieved data through the API in question, around November 25, 2022.
This means that this particular API data breach had a dwell time of more than 40 days, because the hacker had started accessing sensitive data via the API in question, from November 25th, 2022.
The CircleCI Data Breach
CircleCI, a developer product focused on Continuous Integration (CI) and Continuous Deployment (CD), with over one million users, published an advisory this week urging its customers to immediately rotate all secrets following a breach of the company’s systems. The blog was published by their CTO and the details can be found on their website. Though the exact details of the breach are not available, the recommendations from CircleCI have been specific –
- Please rotate any and all secrets stored in CircleCI.
- Users need to review internal logs for signs of any unauthorized access starting from December 21, 2022, to January 4, 2023, or until when the secrets are rotated.
- Tokens that need to be rotated include
- OAuth tokens
- Project API tokens
- User API tokens
- Runner Tokens
- Project environment and context variables
Read Traceable’s analysis here.
Automotive API vulnerabilities abound = API Carhacking
The avoidable API related security incidents that have occurred over the past year are driving us crazy. Last year, Tesla and Uber both faced API security incidents. Now, earlier this month, extensive API vulnerabilities were reported for 16 major automotive companies. This list – a who’s who of massive companies including BMW, Ford, Toyota, and Mercedes-Benz – had vulnerabilities which exposed them to ATO, remote code execution, hijacking, information theft.
Such rampant and major vulnerabilities across the industry give insight into how hurried and ill-secured APIs are – a problem that we’ve been aware of for a while, what with the development of APIs across industries being done and deployed with little to no security framework. That needs to change now, this void in your security will only result in more and greater API security incidents.
Bonus: AWS patches cloudtrail vulnerability, cryptotheft, and Google’s newest Threat Horizons report.
AWS this month immediately issued a patch when Datadog researchers reached out with information about a discovered vulnerability: where the security research team was able to access accounts via undocumented APIs. And 3Commas rang in the new year with a huge API theft confirmed: where a massive API key leak led to valid API keys being exposed on Twitter.
Finally, fittingly, Google released their fifth threat horizons report this month, notably highlighting API key compromise as being a factor in roughly 20% of the cases they studied in the past quarter, which suggests increased automation being taken by threat actors (check out page 7 of the report).
What a month. Is your head spinning? Us too.
The Bottom Line: API Security is Now the Core of Cybersecurity
The frustrating aspect of API attacks such as the ones reported above, is that they are completely avoidable. And we know they’re happening – Gartner has issued warning after warning – in a Gartner report last year stating that API breaches WILL BECOME the most frequent attack vector globally, nearly doubling by 2024. Just last year, Optus reported almost exactly the same vulnerability and result.
The question is no longer will you secure your APIs, it’s how and when will you close that loop? Will it be reactionary, or will you heed these cautionary tales and build these security solutions into your security operations? No matter which route you take, you can no longer claim ignorance of this major security concern.
About Traceable
Traceable is the industry’s leading API security platform that identifies APIs, evaluates API risk posture, stops API attacks, and provides deep analytics for threat hunting and forensic research. With visual depictions of API paths at the core of its technology, its platform applies the power of distributed tracing and machine learning models for API security across the entire software development lifecycle. Book a demo today.
