APIsec, a company specializing in API testing, has confirmed the security of an internal database that was left exposed on the internet without a password, containing customer data.

The database, which was uncovered by security research firm UpGuard, had been storing records since 2018, including the names and email addresses of APIsec’s customers’ employees and users, as well as details about the security posture of its corporate clients.

Much of the data stored in the database was generated through APIsec’s monitoring of its customers’ APIs for potential security vulnerabilities, according to UpGuard.

UpGuard discovered the exposed database on March 5 and promptly notified APIsec, which secured the database shortly thereafter.

APIsec, which claims to have worked with numerous Fortune 500 companies, describes itself as a provider of API testing services. APIs enable communication between different systems on the internet, such as a company’s backend systems and users accessing its app or website. If left insecure, APIs can be exploited to extract sensitive data from a company’s systems.

In a recently published report, UpGuard revealed that the exposed data included information about the attack surfaces of APIsec’s customers, such as details on whether multi-factor authentication was enabled for a particular customer account. This information could potentially provide valuable technical intelligence to malicious actors.

When initially contacted by TechCrunch, APIsec founder Faizel Lakhani downplayed the security incident, stating that the database contained “test data” used for product testing and debugging purposes. Lakhani emphasized that the exposed database was not the company’s production database and did not contain any customer data. He attributed the exposure to “human error” rather than a malicious incident.

Lakhani stated, “We quickly closed public access to the database. The data it contained is not usable.”

However, UpGuard found evidence of real-world corporate customer information in the database, including the results of security scans from API endpoints.

The exposed data also included personal information of APIsec’s customers’ employees and users, such as names and email addresses, according to UpGuard.

After being presented with evidence of leaked customer data by TechCrunch, Lakhani revised his statement. In a subsequent email, the founder revealed that APIsec had conducted an investigation on the day of UpGuard’s report and re-examined the incident the following week.

Lakhani stated that the company notified customers whose personal information was present in the publicly accessible database. However, when asked to provide a copy of the data breach notice sent to customers, Lakhani declined.

When asked if APIsec plans to notify state attorneys general as required by data breach notification laws, Lakhani chose not to comment further.

UpGuard also discovered a set of private keys for AWS and credentials for a Slack account and GitHub account within the dataset. Although the researchers could not determine if the credentials were active, as using them without permission would be unlawful, APIsec claimed that the keys belonged to a former employee who left the company two years ago and were disabled upon their departure. It remains unclear why the AWS keys were stored in the database.