Hackread reports that more than 30,000 internet-exposed instances of widely used cloud-based API development and testing platform Postman Workspace had API keys, tokens, and admin credentials exposed as a result of access control misconfiguration, accidental Postman collection sharing, public repository syncing, and unencrypted storage of plaintext data.
Most of the leaked secrets were from api.github.com, followed by slack.com, hooks.slack.com, salesforce.com, and login.microsoftonline.com, with sensitive information affecting the healthcare, financial services, and athletic clothing sectors, according to a year-long probe by CloudSEK's TRIAD team.
Increased data compromise and social-engineering intrusions stemming from API exposure have prompted researchers to urge organizations to utilize secret management systems and environment variables, conduct consistent token rotations, restrict permissions, and ensure collection security prior to sharing.
Such findings come after Postman commenced the omission of public workspaces with exposed secrets from the public API network in June.
"As we roll out this policy change, owners of public workspaces containing secrets will be notified and have the opportunity to remove their exposed secrets before that workspace is removed from the network," Postman said.
