API security firm APIsec has confirmed that it exposed an internal database containing sensitive customer data, including names, email addresses, and details about the security posture of its corporate customers. The database, which was connected to the internet without a password for several days, stored records dating back to 2018.

The exposed data included information about attack surfaces of APIsec's customers, such as details about whether multi-factor authentication was enabled on a customer's account. According to UpGuard, the security research firm that discovered the database, this information could provide useful technical intelligence to a malicious adversary.

APIsec, which claims to have worked with Fortune 500 companies, bills itself as a company that tests APIs for security weaknesses. APIs allow different systems or applications to communicate with each other, and insecure APIs can be exploited to siphon sensitive data from a company's systems. The exposure of APIsec's internal database raises questions about the company's own security practices and its ability to protect its customers' data.

Initially, APIsec founder Faizel Lakhani downplayed the security lapse, saying that the database contained "test data" that APIsec uses to test and debug its product. However, UpGuard found evidence of information in the database relating to real-world corporate customers of APIsec, including the results of scans from its customers' API endpoints for security issues. The data also included some personal information of its customers' employees and users, including names and email addresses.

Lakhani later backtracked, saying that the company completed an investigation on the day of UpGuard's report and "went back and redid the investigation again this week." The company subsequently notified customers whose personal information was in the database that was publicly accessible. However, Lakhani declined to provide a copy of the data breach notice that the company allegedly sent to customers, and would not comment on whether the company plans to notify state attorneys general as required by data breach notification laws.

The exposed database also contained a set of private keys for AWS and credentials for a Slack account and GitHub account. While APIsec said the keys belonged to a former employee who left the company two years ago and were disabled upon their departure, it's unclear why the AWS keys were left in the database.

The incident highlights the importance of robust security practices, even for companies that specialize in security. APIsec's exposure of its internal database is a stark reminder that no company is immune to security lapses, and that even the most seemingly secure organizations can make mistakes. As the use of APIs continues to grow, the need for robust security testing and monitoring will become increasingly critical.

In the wake of this incident, APIsec's customers and the broader tech community will be watching closely to see how the company responds and what steps it takes to prevent similar security lapses in the future. The incident also underscores the need for greater transparency and accountability in the cybersecurity industry, where companies that fail to protect their customers' data can face serious consequences.