Back

Significant API Security Incidents Highlight Vulnerabilities in Legacy Systems

Severity: High (Score: 67.5)

Sources: equixly.com, www.darktrace.com

Published: 2026-06-10 · Updated: 2026-06-10

Keywords: billion, security, application, programming, equixly, incidents, darktrace

Summary

In 2026, the API management market is projected to generate approximately $9.7 billion, making APIs a critical attack surface. A notable incident involved a legacy Stripe API endpoint that was exploited in a web-skimming campaign affecting at least 49 online retailers. Attackers abused this deprecated endpoint, which lacked modern security controls, to conduct a large-scale card-testing operation. The incident underscored the risks associated with improper asset management and broken authentication vulnerabilities. Security audits often overlook such legacy systems, leaving them exposed. Organizations typically test only 38% of their APIs for vulnerabilities, further compounding the issue. The incident serves as a case study for security professionals to improve API security strategies. It emphasizes the need for comprehensive visibility and management of digital assets throughout their lifecycle. Key Points: • A legacy Stripe API endpoint was exploited in a web-skimming campaign affecting 49 retailers. • The attack exploited improper asset management and broken authentication vulnerabilities. • Organizations test only 38% of their APIs for vulnerabilities, leaving many exposed.

Detailed Analysis

**Impact** At least 49 online retailers were affected by the Stripe legacy API incident, exposing them to large-scale card-testing and skimming operations. The McDonald’s McHire platform data incident exposed sensitive personally identifiable information due to third-party vulnerabilities. These incidents impacted sectors including e-commerce and corporate recruitment platforms, with potential data exposure spanning payment card details and applicant records. The geographic scope is global, given Stripe’s merchant base and McDonald’s international presence. **Technical Details** Attackers exploited a deprecated Stripe API endpoint (/v1/sources) lacking modern security controls such as advanced rate limiting and fraud detection, enabling automated card validation via stolen card lists and bots. The root causes included Improper Asset Management and Broken Authentication vulnerabilities. The McHire incident involved broken object-level authorization (BOLA), allowing unauthorized access to applicant data through compromised test accounts. No specific malware or CVEs were mentioned. The attacks occurred during the reconnaissance and exploitation stages of the kill chain. **Recommended Response** Immediately identify and decommission all legacy, shadow, and zombie APIs through automated discovery tools integrated with asset management systems. Enforce strict authentication and authorization controls, including OAuth 2.0 with PKCE and role-based access controls, on all API endpoints. Deploy continuous API security testing platforms that simulate attacks to detect vulnerabilities and monitor for anomalous high-frequency, low-value transaction patterns. Monitor third-party integrations for authorization flaws and validate all API requests against strict schemas at the gateway level.

Source articles (2)

  • Darktrace API Security — www.darktrace.com · 2026-06-10
    Application Programming Interface (API) security encompasses the technical controls, governance frameworks, and operational practices required to protect application programming interfaces from exploi…
  • Equixly API Incidents — equixly.com · 2026-06-10
    The global API management market is projected to generate around $9.7 billion in revenue this year (depending on the source, estimates range from $7 billion to $ 12 billion), underscoring that APIs ar…

Timeline

  • 2026-06-10 — API management market projected revenue announced: The global API management market is projected to generate around $9.7 billion in 2026, highlighting the importance of API security.
  • 2026-06-10 — Stripe API incident detailed: A legacy Stripe API endpoint was exploited, leading to a web-skimming campaign affecting 49 online retailers.

Related entities

  • Brute Force (Attack Type)
  • Data Breach (Attack Type)
  • Phishing (Attack Type)
  • Intel Outside (Campaign)
  • Intel (Company)
  • McDonald’s (Company)
  • Salesforce (Company)
  • Volkswagen (Company)
  • Stripe (Platform)
  • Azure Active Directory (Platform)
  • McHire Platform (Platform)
  • Microsoft Graph (Platform)
  • MSAL (Platform)
  • My Volkswagen App (Platform)
  • OAuth 2.0 (Platform)
  • Salesforce CRM (Platform)
  • Stripe API (Platform)
  • India (Country)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • CWE-287 - Improper Authentication (Cwe)
  • CWE-798 - Use of Hard-coded Credentials (Cwe)
  • CWE-862 - Missing Authorization (Cwe)
  • paradox.ai (Domain)
  • retailers.it (Domain)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1110 - Brute Force (Mitre Attack)
  • T1566 - Phishing (Mitre Attack)
  • Broken Authentication (Vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed