Improper Inventory Management
摘要
On September 22, 2022, Optus, Australia's second-largest telecommunications company, discovered that personal information of 9.8 million customers, nearly 40% of the country's population, had been exposed through a forgotten API endpoint. The breach wasn't the result of sophisticated hacking or advanced persistent threats. Instead, as court filings would later reveal, it stemmed from a simple coding error in 2018 that broke access controls on an API domain that should have been decommissioned years earlier. The Target API domain, created in 2017 to segregate API traffic from the main website, remained internet-facing and vulnerable for over a year after the same security flaw had been identified and fixed on the primary domain. The attacker needed only basic trial-and-error techniques to bypass the broken access controls and extract customer data including names, dates of birth, phone numbers, email addresses, and for some customers, passport and driver's license numbers.