Employee #monitoring app exposes 21M work screens​ | Cybernews

The #leaked data is extremely sensitive, as millions of screenshots from employees' devices could not only expose full-screen captures of emails, internal chats, and confidential business documents, but also contain #login pages, credentials, #APIkeys , and other sensitive info that could be #exploited to attack businesses worldwide.

Cybernews contacted the company, and access has now been secured.
#privacy

https://cybernews.com/security/employee-monitoring-app-leaks-millions-screenshots/

Exposed #DeepSeek Database Revealed #Chat Prompts and Internal Data

China-based DeepSeek has exploded in popularity, drawing greater scrutiny. Case in point: #Security researchers found more than 1 million records, including user data and #APIkeys , in an open database.
#china #api

https://www.wired.com/story/exposed-deepseek-database-revealed-chat-prompts-and-internal-data/

Prometheus Security Breach 300K Instances Expose Credentials and API Keys
Today, we're diving into the alarming news of a massive security breach involving Prometheus, a popular monitoring and alerting tool used by countless organizations worldwide
#PrometheusSecurity #DataBreach #CyberSecurity #APIKeys #CredentialLeak #InformationSecurity #DataProtection #SecurityIncident #CyberThreat #TechNews #hack #security #news #privacy #leaks
https://cloudhosting.evostrix.eu/prometheus-security-breach-300k-instances-expose-credentials-and-api-keys/

Over 300K Prometheus Instances Exposed: Credentials and API Keys Leaking Online
https://thehackernews.com/2024/12/296000-prometheus-instances-exposed.html

#Infosec #Security #Cybersecurity #CeptBiro #PrometheusInstances #Credentials #APIKeys #LeakingOnline

'Some random guy' is emailing me on behalf the Internet Archive Team, @internetarchive .

#internetarchive #internetarchivebreach #zendesktoken #apikeys

"tl;dr Postman, the popular API testing platform, hosts the largest collection of public APIs. Unfortunately, it’s become one of the largest public sources of leaked secrets. We estimate over 4,000 live credentials are currently leaking publicly on Postman for a variety of popular SaaS and cloud providers."

https://trufflesecurity.com/blog/postman-carries-lots-of-secrets

#security #api #postman #apikeys #cybersecurity

👉 #SAML, #OAuth 2.0, and #JWT establish a robust framework for securing #API authentication and authorization processes.

Explore other key #apisecurity protocols essential for securing your API endpoints: https://bit.ly/3Rn96bb

#apiattacks #apiendpoints #authentication #authorization #apibreaches #databreaches #vulnerabilities #apikeys #apptrana #indusface

I'm failing to grok how #APIKeys and #GCP (#GoogleCloudPlatform) "projects" work.

I need to distinguish between different customers calling my #API via their API keys. The official documentation says "create a separate GCP project for each [customer]" (source: https://cloud.google.com/endpoints/docs/openapi/restricting-api-access-with-api-keys#sharing_apis_protected_by_api_key)

I could have hundreds or more of different customers. Am I expected to create a GCP project for each one?

JumpCloud says nation-state hackers breached its systems

JumpCloud, a directory platform that allows enterprises to authenticate, authorize and manage users and devices, told customers it had reset their API keys “out of an abundance of caution”

JumpCloud said it determined a nation-state actor gained unauthorized access to its systems and targeted a “small and specific” set of customers.

#JumpCloud #security #cybersecurity #infosec #APIkeys #hacked #hackers #hacking

https://techcrunch.com/2023/07/17/jumpcloud-nation-state-breach/

Microsoft has announced that API keys will be retired for querying application insights. Users will need to transition to Azure AD authentication, which provides additional features such as multi-factor authentication and hybrid integration for password protection policies. The deadline for transitioning to... https://azure.microsoft.com/en-us/updates/transition-to-azure-ad-to-query-data-from-azure-monitor-application-insights-by-31-march-2026/ #AzureAD #APIkeys #applicationinsights #softcorpremium

Question for the local community:

When you generate API secrets as an administrator of the application, you have access to them. Very common when creating secrets for a service accounts etc. But the logs will always point to the user you created and is open to abuse.

Under API security, is there a 'best practice' or some regulation guidance that says that this form of delegation has to be accurately authenticated 'by user' in a logging mechanism? #apikeys #gdpr #logging #infosec

Dealing with my first #securitybreach for a system I'm responsible for.
T0: Dev pushed cloud platform #APIkeys to #publicrepo
T0+30 min: Beijing IP attempted to create docker-machine host and security group allowing that IP ingress. When permissions were insufficient #hacker immediately deleted security group.
T0 +40 min: later our customer (owner of the cloud platform account) forwarded an alert email from the platform.
T0 +50 min: our lockdown and #forensics began

Twitter Warns Developers of API Bug That Exposed App Keys, Tokens - Twitter has fixed a caching issue that could have exposed developers' API keys and tokens. https://threatpost.com/twitter-bug-exposed-api-keys-tokens/159591/ #developer.twitter.com #twitterdevelopers #oauthapirequests #vulnerabilities #applications #dataexposure #websecurity #appsecurity #cachingbug #security #apikeys #twitter #tokens