SecurityWeek reports that millions of users could have their data compromised following the discovery of 1,550 applications leaking Algolia API keys, which are being leveraged by more than 11,000 companies, including Slack, Zendesk, Medium, and Lacoste.
Thirty-two of the Algolia API key-leaking apps contained hardcoded admin secrets and have been downloaded more than 2.5 million times, indicating potential use of data in malicious attacks aimed at compromising user data, according to a CloudSEK report.
"While this is not a flaw in Algolia or other such services that provide integrations, it is evidence of how API keys are mishandled by app developers. So, it is up to individual companies to address the security concerns associated with payment gateways, AWS services, open firebases," said CloudSEK.
Revocation of leaked API keys should be immediately done by the impacted organizations, which have been urged to generate securely stored new API keys, as well as leverage authenticated endpoints.