New York, Wednesday November 20th, 2024 – Escape, an API security platform, today announced the results of its 2024 State of API Exposure report. The study highlights significant API security gaps affecting Fortune 1000 organizations, with over 28,500 exposed APIs and 98,800 vulnerabilities identified. Among these findings, 1,830 were classified as highly critical due to the potential exposure of sensitive data and systems.
Escape’s 2024 report underscores the urgent need for organizations to adopt robust API security strategies, as unchecked API sprawl leaves critical systems exposed. Using advanced subdomain enumeration, AI-driven fingerprinting, and OSINT techniques, Escape’s security research team scanned thousands of APIs, revealing vulnerabilities linked to broken authentication, security misconfigurations, and public access to development APIs. Notably, 3,945 development APIs were found to be publicly accessible, heightening security risks due to their lack of adequate access controls.
Recent reports, including the 2025 Global State of API Security report, indicate that 57% of organizations have suffered an API-related data breach in the past two years. This statistic highlights the serious risks involved when APIs are left unprotected at scale.
"Scaling API security is a fundamental challenge. As organizations deploy more APIs to meet digital demands, their security processes are falling behind" said Tristan Kalos, CEO of Escape. "Our research shows that a majority of APIs are left unmanaged, which not only exposes data, but also magnifies risk at every level of operation."
Key Report Findings
The 2024 incidents, including the Twilio Authy breach, perfectly illustrate how unsecure API endpoiints exposed in the wild can be exploited in attacks.
In July 2024, Twilio’s Authy service suffered a significant breach due to an exposed API endpoint. This vulnerability allowed unauthorized access to authentication data, putting millions of users at risk. The attackers managed to exploit this unsecured endpoint to access one-time passcodes, which are a critical layer of security for multi-factor authentication. This breach highlighted how even security-focused companies are vulnerable when API endpoints aren’t adequately protected.
This extensive exposure of unsecured APIs underscores a critical security issue. Immediate, strategic actions are necessary. Businesses must acknowledge the gravity of unsecured API sprawl and implement rigorous measures to counter it. Establishing robust API governance, intensifying security training, and leveraging automated testing tools are essential steps to mitigate these risks.
About Escape
Founded in 2020 by Tristan Kalos and Antoine Carossio, Escape is a cybersecurity company specializing in application security with a platform that combines automated API discovery and documentation generation with dynamic application security testing (DAST) capabilities. The solution allows security engineers to test the security and reliability of their applications during the development process, before and after their release. Escape already serves thousands of users across the world. More information on: www.escape.tech
Additional resources
Media Contact
Alexandra Charikova
+33 6 34 21 25 23
alexandra@escape.tech
%20(1).png){kind=logo}
