Introduction
If you scanned your organisation’s public-facing assets five years ago, the firewall was the perimeter. Today, that perimeter is made of APIs — and most organisations have no idea how many they have, who’s calling them, or how vulnerable they are.
API-related attacks have become the dominant breach vector for web applications in 2026. OWASP’s API Security Top 10 now lists broken object level authorisation, broken authentication, and excessive data exposure as the leading risks. And they’re not theoretical — major breaches at major enterprises have been traced directly back to unprotected API endpoints. This aligns with what I see in AI-powered attack trends where APIs are increasingly targeted as the entry point for AI-driven campaigns.
Why APIs Are the Primary Attack Target in 2026
Modern applications are API-first. Mobile apps, single-page applications, microservices, partner integrations — all communicate through APIs. This architectural shift created a single point of control that attackers learned to exploit.
Three structural reasons API security is crisis-level:
- APIs expose data at scale — Unlike a web page that renders one user’s view, APIs often serve as data pipelines to multiple clients simultaneously. A single vulnerable endpoint can leak thousands or millions of records
- APIs are undocumented and forgotten — Shadow APIs (untracked endpoints), deprecated but still active versions, and internal APIs accidentally exposed to the internet accumulate faster than security teams can audit them
- Business logic lives in APIs — Unlike classic injection flaws that exploit a known vulnerability class, API attacks exploit business logic — authorisation flaws, rate limit abuse, parameter manipulation. These are harder to detect and impossible to patch with a signature
Salt Security’s 2025 API Security Report found that 94% of organisations experienced API security problems in the prior year, with 59% experiencing sensitive data exposure through APIs. And given that APIs underpin everything from financial transactions to healthcare records to AI model connections, the blast radius of a successful API breach is larger than ever.
The OWASP API Security Top 10: Where Breaches Actually Happen
Broken Object Level Authorisation (BOLA) — #1 on the list
This is the most common and most impactful API vulnerability. It occurs when an API endpoint exposes an object identifier and doesn’t properly validate that the requesting user has access to that specific object. Attackers manipulate the ID in the request — changing a user ID, order number, or file reference — to access other users’ data.
Real example: In 2023, a major US telecom provider suffered a breach affecting 77 million customers when an API endpoint allowed any authenticated user to retrieve other users’ account details by changing an ID parameter. NoSQL injection was a factor, but the core flaw was broken authorisation at the API logic layer.
Broken Authentication
APIs often use token-based authentication (JWTs, API keys, OAuth tokens) without proper validation. Common failures include:
- Accepting expired or invalid tokens without proper error handling
- Leaking tokens in URLs (which get logged in proxies, firewalls, browser history)
- Weak token signing algorithms allowing algorithm substitution attacks
- No rate limiting on authentication endpoints, enabling credential stuffing
For detailed guidance on API authentication security, OAuth.net provides comprehensive resources on implementing OAuth 2.0 and OpenID Connect securely, including common pitfalls and attack vectors. Also see my deep-dive on OpenAI supply chain attacks where API key mismanagement was the root cause of a $2.3M breach.
Excessive Data Exposure
Developers often rely on APIs to filter sensitive data client-side, returning more data than the UI actually displays. But if the API response contains more data than the client needs, an attacker can intercept it and extract sensitive fields the UI never intended to show.
The rule: the API should filter data. Not the client.
Lack of Resources and Rate Limiting
APIs that don’t enforce rate limits allow attackers to execute denial-of-service attacks or brute-force enumeration attacks at scale. Unprotected authentication endpoints are particularly vulnerable — without rate limiting, an attacker can try thousands of credential combinations per minute.
Cloud-native API gateways like AWS API Gateway, Google Cloud API Gateway, and Azure API Management all offer built-in rate limiting and throttling capabilities that should be configured as a baseline security control.
Real-World API Breaches That Made Headlines
- AT&T (2024) — A financial API vulnerability exposed 73 million customer records including Social Security numbers and account PINs. The breach traced to an API that returned data for any valid account without authorisation checks
- Planet Fitness (2024) — A flaw in the membership management API allowed any user to access and modify other members’ membership details, including payment information and personal data
- Evidon (2024) — A consumer advocacy organisation found that major brands’ web trackers had API endpoints that leaked user behavioural data without authentication, exposing browsing habits and clickstream data for millions of users
- LinkedIn (2021 and repeated in 2024) — Scraping attacks exploited API rate limiting gaps to harvest profile data for hundreds of millions of users. LinkedIn argued this was “normalised data collection” — but the API had no effective controls to prevent bulk extraction
The Dark Reading analysis on API attack trends provides additional context on how these breaches have shaped the enterprise security landscape and what defenders are doing differently in response.
The API Security Checklist
- ☑️ Inventory all APIs — discover shadow APIs, deprecated versions, and internal APIs exposed to the internet
- ☑️ Enforce object-level authorisation on every endpoint — validate the requesting user owns or can access the specific resource
- ☑️ Implement token validation on every API call — no endpoint should be accessible without a valid, unexpired credential
- ☑️ Filter data at the API layer — never return more data than the business function requires
- ☑️ Rate limit all endpoints — especially authentication and search endpoints
- ☑️ Require strong authentication for sensitive operations — MFA for admin access, API key rotation policies
- ☑️ Validate all input — enforce schema validation, reject unexpected parameter types
- ☑️ Monitor API traffic for anomalies — unusual call volumes, unusual data access patterns, unusual geographic access
- ☑️ Use API gateways with security policies — enforce authentication, rate limiting, and input validation at the gateway layer
- ☑️ Document all API versions and deprecate old versions with clear timelines and communications to consumers
Conclusion: APIs Need Security at Design Time, Not After
The API security crisis is fundamentally a design problem. APIs were built for speed and functionality — security was bolted on later, if at all. The fix requires shifting security left: designing APIs with authorisation models baked in, validating every request before processing, and monitoring for anomalous behaviour across all endpoints.
Organisations that treat API security as a continuous process — not a one-time audit — will be far better positioned than those who discover their vulnerabilities only after a breach makes the news. This is also why Zero Trust Architecture and NIS2 compliance both explicitly require API security controls as part of their broader security frameworks.
Start with an API inventory. You can’t protect what you don’t know exists.
Read also: OpenAI Supply-Chain Attacks, AI-Powered Phishing, Zero Trust Architecture, NIS2 Compliance Guide
About the Author: Syed Adil Hussain is a cybersecurity professional helping organisations secure their digital infrastructure. Connect with him on LinkedIn or reach out directly at thecyberguy90@gmail.com.