SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
New Zealand
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware
Search
Story image
#
Phishing
#
Email Security
#
Breach Prevention

30,000 Postman workspaces leak API keys & credentials

Yesterday
Author image
By Shannon Williams, Journalist

CloudSEK's TRIAD team has identified over 30,000 public Postman workspaces leaking API keys and credentials, affecting major platforms and various industries.

CloudSEK's flagship platform, XVigil, facilitated the discovery of these vulnerabilities over a year-long investigation. The study highlighted significant security breaches across several sectors, including healthcare, finance, and athletic apparel, affecting both businesses and individuals.

Key findings of the report revealed that more than 30,000 publicly accessible Postman workspaces exposed sensitive information such as access tokens, refresh tokens, and third-party API keys. Some of these exposures remain unidentified due to permissions or API limitations, leaving organisations vulnerable.

Notable platforms impacted by these leaks include GitHub, with 5,924 exposures, Slack with 5,552, and Salesforce with 4,206. These incidents indicate prevalent misconfiguration issues within these platforms.

Critical sectors affected by these leaks include healthcare, athletic apparel, and financial services, underscoring considerable security risks. Exposed details include administrator credentials, payment processing API keys, and internal system access, raising concerns about potential financial and reputational harm.

CloudSEK has reported most incidents to the respective organisations, assisting in risk mitigation.

Examples of security breaches include leaked credentials from an athletic apparel brand's Postman workspace, exposing shipment data, invoices, and trade secrets. In the healthcare sector, exposed admin credentials through a Postman workspace put a provider's support system and customer data at risk.

Additional cases include the exposure of Razorpay API keys, which could enable unauthorised transactions, a CRM platform compromised due to leaked refresh tokens and API endpoints, and New Relic API key leaks granting access to sensitive system logs and infrastructure data.

The report mentioned that API documentation and tokens exposed in public workspaces could lead to phishing, SQL injection, and service misuse.

In response to the findings, Postman has implemented new security measures. These include proactive secret detection and user notifications upon detection of sensitive data in public workspaces.

The report also emphasised several practices that lead to data exposure, such as inadvertent sharing of Postman collections, misconfigured access controls, syncing with publicly accessible repositories, and storing sensitive data in plaintext without encryption.

In response to these findings, Postman has implemented new security measures, including proactive secret detection and user notifications when sensitive data is detected in public workspaces.

How Data Leaks Happen

The findings emphasize common practices leading to sensitive data exposure, including:

  • Inadvertent sharing of Postman collections.
  • Misconfigured access controls.
  • Syncing with publicly accessible repositories.
  • Storing sensitive data in plaintext without encryption.
  • These vulnerabilities open doors to catastrophic consequences, from data breaches and unauthorized transactions to reputational and financial damages.

A Call to Action: Best Practices for Securing APIs

  • CloudSEK urges organisations to adopt robust security measures to prevent such exposures:
  • Use environment variables to avoid hardcoding sensitive data.
  • Limit permissions and review access controls regularly.
  • Rotate tokens frequently and avoid using long-lived credentials.
  • Leverage secrets management tools for secure data storage.
  • Double-check collections before sharing and monitor activity logs for suspicious behavior.
  • As API ecosystems grow increasingly complex, security lapses such as these can have far-reaching consequences
Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Kaspersky reports 135% rise in crypto-drainer discussions
Phishing campaign targets YouTube creators with fake deals
ReliaQuest reveals increase in malware via fake CAPTCHA pages
Ironscales unveils Autopilot to boost AI email security
Radware strengthens AI security for top Italian bank
Top stories
Opswat acquires Fend to enhance cybersecurity for infrastructure
CISA mandates secure cloud baselines for US agencies
Jamf predicts future trends in AI, education & security
71% of firms recover from outages in 1 to 5 hours – Kaspersky
Dynatrace leads in ISG report for cloud observability 2024