Written by Yang SujianAll-knowing Technology (Hangzhou) Co., Ltd
In recent years, with the rapid growth of the application scope of data interfaces such as APIs, due to the lack of security measures and monitoring and early warning mechanisms, large-scale data leaks and other security incidents have occurred frequently. The following is an inventory of some data security incidents caused by insufficient data interface security measures in 2023 for reference:
1. Serious loopholes in the automotive industry: 20 well-known car companies exposed the personal information of car owners
At the beginning of 2023, cybersecurity researcher Sam Curry and his research team found many API application defects in vehicles and connected car services produced by dozens of the world's top automakers. More than 20 well-known brands such as Ford. In addition, the research team also found that there are also a large number of serious API security flaws in the application solutions of mainstream Internet of Vehicles service providers such as Reviver, SiriusXM, and Spireon. 
2. T-Mobile, a multinational mobile operator, is leaked
Wireless giant T-Mobile, which was exposed in January 2023, is actively investigating a data breach that could affect 37 million user accounts, and the leakage of basic customer information includes data such as name, billing address, email, and ** number. According to T-Mobile, the hackers obtained the data without authorization through an application programming interface (API). However, this is not T-Mobile's first major cybersecurity incident, since 2018, T-Mobile has had 8 consecutive information breaches due to API security vulnerabilities. 
3. ChatGPT suffered a data breach
In late March of this year, ChatGPT announced that it had suffered a data breach. It is reported that before March 20, some users can see fragments of other people's chat history, as well as other users' credit card last four digits, expiration date, name, email address, and payment address and other information. Initially, the problem only affected a few users, but the problem was further exacerbated by another mistake made by OpenAI when making changes to the server, and the affected users expanded to 12% ratio. OpenAI's post-mortem analysis said that the vulnerability was found in the open-source library Redis -py of Redis client software, and an attacker could exploit this vulnerability to send a malicious ** to the Redis database, resulting in a data leak. 
4. Honda Group's e-commerce ** vulnerability led to data leakage
Security researcher Eaton Zveare discovered a security vulnerability and data breach of the open APIs for Honda's e-commerce platform earlier this year and notified Honda of his discovery in mid-March. Zveare claims that he was able to exploit a poorly secured application programming interface (API) to break into Toyota's GSPIMS system and had full access to Toyota's internal projects, documents, and user accounts, including those of Toyota's external partners. The issue involved more than 14,000 users and confidential information, and if an attacker could exploit the vulnerability and add their own accounts, it could gain long-term access to Toyota's data and affect the company's global operations. 
5. Johnson & Johnson Healthcare's database can be accessed without authorization
Johnson & Johnson Healthcare Systems ("Jnssen") recently notified its CarePath customers that their sensitive information had been compromised. According to a notice from Johnson & Johnson**, the company discovered a vulnerability that could gain unauthorized access to the CarePath database that could gain unauthorized access to details such as CarePath user name, contact information, date of birth, health insurance information, medication information, medical condition information, etc., and the data breach affected CarePath users who signed up for Johnson & Johnson** services before July 2, 2023. This could indicate that the data breach occurred on the same day, or that it was a database backup that was compromised. 
6. A recruitment app was attacked by credential stuffing: hackers stole 3 million pieces of data
In December 2023, according to CCTV News, the SMS verification code interface of a job search and recruitment app was attacked more than 13 million times. **The investigation found that 2 suspects took advantage of the ** vulnerability to make hacking software and carry out "credential stuffing" attacks, and obtained a large amount of personal information and company account data overseas**. More than 330 pieces of data of various companies and personnel were seized at the arrest site. According to the suspect's confession, they found that the signature algorithm of ** is relatively single, so they used this weakness to write instructions and make hacking software to carry out "credential stuffing" attacks. 
7. A well-known genetic testing company in the United States was hacked or leaked the blood data of 300,000 Chinese
In December 2023, the U.S. genetic testing company announced that hackers used customers' old passwords to successfully obtain the personal information of about 6.9 million user profiles through credential stuffing attacks (some of the stolen file information includes family genealogy, year of birth and geographic location, etc.), and sold them for a single account of $1-10, which contains sample user data of about 1 million Jews and 300,000 Chinese. Some of the stolen file information includes family genealogy, year of birth, and geographic location. 
Carrying out data interface security risk monitoring is an important measure to avoid data leakage, tampering, abuse, etc., in 2023, the national standard"Information Security Technology - Data Interface Security Risk Monitoring Method".The standard describes the relationship between data interface elements, analyzes the vulnerability of data interfaces, the vulnerability of unreasonable data carrying data of interfaces, the threat of interface invocation behavior, and the threat of interface provision activities, and proposes methods for monitoring data interface security risks.
*: CCIA Data Security Working Committee.
Editor: Yoyo