The Scottish brewery BrewDog left personally identifiable information of 200,000+ customers and shareholders exposed for nearly 18 months. A PenTestPartners report revealed that the issue was in BrewDog’s mobile app’s API and its token-based authentication system.
Names, dates of birth, past delivery addresses, email addresses, telephone numbers, shareholder numbers and more were left accessible.
Jason Kent, Hacker in Residence at Cequence Security weighed in:
“API breaches that align with the OWASP API Top 10 aren't that uncommon anymore. In this case, simple enumeration of IDs while being authenticated via a hardcoded API Key, follows as well. Authentication and authorization issues are at the top of the list for a reason. Here you can see both issues lead to complete acquisition of the customer database, utilization and even things like "rewards" points can be utilized without the permission of the account owner.
BrewDog's response is, unfortunately, very similar to our own experiences with reporting APIs bleeding out data in an uncontrolled manner. Dumping the entire customer database and having access to all of the information for an organization's customers shouldn't be ignored and is a great lesson to anyone with an API that wants to ensure its security.”