Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
API Testing firm Episc It has confirmed that it has secured an open internal database with customer data, which was connected to the Internet for several days without password.
The exposed episak database has stored records related to 2018 with its customers ’employees and users’ names and email addresses, as well as details about the protection of corporate customers in EPCEC.
According to the security research agency Upsgard found in the database, most of the data was produced by APISEC because it observes its customers’ APIs for security weakness.
APGARD found the leaked data on March 5 and notified Episk on the same day. EPCEC soon secured the database.
EPCEC, which claims Fortune has worked with 500 companies, pays itself as a company that tests the API for its various customers. APIs allows two or more things to contact each other on the Internet, such as an organization’s back-end system accesses its applications and websites with users. Unsafe APIs can be used by an organization’s system sensitive data siffon.
In A now published reportWhich was shared with TechCrunch before the release, the upguard said that the exposed data included information related to the attack surfaces of EPCEC customers, such as the details of whether multi-factor authentication was enabled in any customer account. Upgard said that this information could provide useful technical intelligence to a malicious opponent.
Upon arriving at TechCrunch, EPCEC founder Faizel Lakhani initially reduced the protection laps that the database contains “test data” which EPCEC uses its product to test and debug. Lakshani added that the database was “our production database” and “no customer’s data was in the data database.” Lakshani confirmed that the exposure was caused by “human mistakes” and not because of any contaminated incident.
“We have stopped public access to quickly. Database data is not usable,” said Lakhani.
However, APGARD said that it was found in the database related to the Real-World Corporate Customers of Epicec, including scan results from API endpoints of its customers for security issues.
AppGard said the data also included some personal information from its customers and users of its customers.
When TechCrunch proved the customer’s data to leak the company, Lakhani backtrack. In an email later in an email, the company said that the company had finished investigating the day of the Upigard and “the investigation again re -renewed this week.”
Lakshani said the company later informed the customers whose personal information was in a universally accessible database. When Lakhani was asked, a copy of the data violation would not provide a copy of the notice that the company had sent to the customers.
When the company planned to inform the State Attorney General as necessary by the data violation notification law, Lakshani refused to comment further.
A set of personal keys for the AWS and credentials for the Githab account in the Upsgard Datasate and Githab account, but the researchers could not determine whether the credentials were activated, because the certificates would be illegal to use without permission. EPCEC said that the keys were left two years ago and included a former employee who was unable to leave after their departure. It is not clear why the AWS keys were left in the database.