Robocall Legal Advocate Leaks Customer Data

Brian Krebs reported that thousands of documents, emails, spreadsheets, images and the names tied to countless mobile phone numbers all could be viewed or downloaded without authentication from the domain theblacklist.click.  The directory also included all 388 Blacklist customer API keys, as well as each customer’s phone number, employer, username and password.

Experts Comments

August 05, 2020
Matt Keil
Director of Product Marketing
Cequence Security
This is a perfect example of how an API can be used to foster partnerships, but lacking in execution with all too common API authentication errors being made. API keys are a good start, but stronger authentication may be in order to protect the customer data. The more significant error was exposing the API keys in a publicly accessible storage mechanism. These types of errors seem to occur weekly. Do the developers really understand the ramifications of public-facing APIs and data? It's exposed .....Read More
This is a perfect example of how an API can be used to foster partnerships, but lacking in execution with all too common API authentication errors being made. API keys are a good start, but stronger authentication may be in order to protect the customer data. The more significant error was exposing the API keys in a publicly accessible storage mechanism. These types of errors seem to occur weekly. Do the developers really understand the ramifications of public-facing APIs and data? It's exposed to everyone. It's a simple question, but what else can explain the repetitive nature of these basic errors?  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.