A major data exposure incident has been discovered at APIsec.ai, a prominent security company serving many Fortune 100 clients. The company inadvertently left an Elasticsearch database containing over three terabytes of sensitive customer information publicly accessible.
The exposure was identified by UpGuard researcher Greg Pollock during routine cloud infrastructure scanning. The database contained detailed API scan results, system credentials, and customer information dating from 2018 to 2025.
The largest data index contained approximately 99 million records spanning two terabytes, comprising detailed API testing logs and responses from customer endpoints. This effectively created a comprehensive map of enterprise APIs that could be valuable to potential attackers.
The exposed database included:
- AWS access keys
- GitHub and Slack login credentials
- Configuration data for 3,700+ scanning clusters
- Scanner authentication keys
- Customer billing information
- Email addresses
- Company details
- Security configuration data
In an unusual finding, the database also contained information from a UK nail salon, exposing data of 224 technicians including hashed passwords and contact details, likely due to a misconfigured API endpoint.
APIsec, which specializes in automated API security testing and vulnerability scanning, was immediately notified of the exposure. The company promptly secured the database upon receiving the notification.
The incident raises concerns about security tools potentially becoming points of vulnerability themselves. As organizations increasingly rely on third-party security vendors, this exposure demonstrates the importance of maintaining robust security practices across the vendor ecosystem.
This event serves as a reminder that security monitoring tools, while designed to protect organizations, can inadvertently create additional risks if not properly secured.