Product Update
Introducing Product Level Answers: A Game-Changer for Suppliers and Improved Visibility for their Customers
API-related supply chain attacks are rapidly emerging as a major cyber security threat, driven by the explosive growth of API ecosystems and the increasing reliance on third-party integrations. This trend is exposing organisations to new vulnerabilities, with attackers targeting weaker links in highly interconnected digital supply chains. In this article, we explore the challenges of defending APIs against attacks, and the best practices available to help organisations secure their supply chains.
The Application Programming Interfaces (APIs) that are an indispensable, integrated part of today’s software supply chains have become the latest attack surface for cyber criminals to exploit.
One recently discovered vulnerability in APIs used by a popular online travel service put millions of airline users worldwide at risk of account takeover. By attacking a weak point in the API ecosystem, hackers could bypass the travel service’s tight security checks to gain unauthorised access to user accounts – enabling them to impersonate users and carry out a whole range of actions. This specific vulnerability has now been fixed, but it highlights the growing risk of API-related supply chain attacks to individuals and organisations – risks that are widespread yet remain under-reported.
APIs are ubiquitous in every IT environment. They provide the vital connections between disparate software applications, essentially acting as the ‘translators’ that allow different systems to communicate with each other. APIs define how software components interact and exchange data, enabling seamless integration and functionality sharing.
Anyone who uses the internet relies on APIs to complete everyday personal and professional tasks. Software providers develop API tools so that their products can integrate with other systems. Social media platforms use APIs to allow other applications to interact with their services. In e-commerce, APIs enable stores to process payments and integrate payment gateways. Digital mapping providers use APIs to embed maps and location data into applications to power features like directions and real-time tracking. Cloud service providers, such as AWS and Google Cloud, use APIs to manage cloud resources and storage.
Essentially, a vast API ecosystem now facilitates and enables almost every online interaction, activity and process in our professional and personal lives.
Third-party APIs are generally free for public use or for any developer to use. They can also be provided by vendors for authorised users to access. There has been exponential growth in use of APIs in recent years, with organisations now deploying them widely to enable digital transformation, cloud migration and third-party integrations. According to a study by Traceable AI, organisations today use an average of 131 third-party APIs.
The explosion in API use is helping to significantly increase convenience and efficiency in the way we use multiple software applications. But they also expose organisations to risk – particularly where they interact with sensitive data and confidential systems. According to content delivery network provider Cloudflare, APIs now facilitate more than 70% of all web traffic, connecting internal systems and external partners in seamless data flows. It means APIs are handling vast quantities of sensitive data every second of every day, making them a lucrative target for hackers.
Every new API endpoint in an organisation’s supply chain represents a potential new vulnerability, which could enable hackers to gain access. The thousands of APIs now integrated into every IT ecosystem make it extremely difficult for organisations to maintain visibility and control over all of these potential weak points.
It’s no surprise then that this has led to an increase in the number of API-related data breaches and cyber incursions in recent years. The 2025 State of API Security Report by Traceable AI, which surveyed more than 1,500 IT and cyber security professionals, revealed that 57% of organisations had suffered API-related breaches in the past two years. Of those, an incredible 73% had experienced three or more incidents, suggesting a widespread failure of API defences.
The report highlights how the rapid expansion of APIs is outpacing the security measures designed to protect them, with nearly all organisations (99%) reporting API-related security issues in the past year. One of the biggest security challenges associated with APIs is maintaining accurate inventories. The report found that 58% of organisations monitor their APIs less than daily and have little confidence in their inventory accuracy. Only 20% of organisations carry out real-time API monitoring, leaving the majority vulnerable to attack.
Some of the most high-profile API-related security breaches in recent years include:
The primary targets for hackers are externally facing APIs. These are the main attack vectors in 98% of attempts to breach API defences. Analysis of API attacks shows that 95% originate from authenticated users, which highlights the extremely high risk posed by compromised user accounts. Hackers have long used a variety of methods to take control of user accounts, and they are increasingly using compromised accounts to help them exploit API weaknesses.
Criminals can exploit a range of vulnerabilities in API systems, including security misconfigurations, broken authorisation systems and API authentication errors. Once they have gained entry to an organisation’s network via these API gateways, hackers can often find their way into other systems and organisations connected to the original entry point.
By targeting API-related weak points in complex digital supply chains, cyber criminals can potentially - depending on the specific API, its privileges, and how widely it is integrated - gain access ‘via the backdoor’ to the systems and data of much more robustly protected organisations. In fact, the ubiquitous nature of APIs means that hackers can often infiltrate multiple organisations at once by exploiting a single API vulnerability at a trusted vendor in the supply chain.
The huge number of APIs in daily use, and the difficulty of identifying all APIs used within an organisation, means that defending them against hackers is especially challenging. Traditional IT security tools, such as Web Application Firewalls (WAFs), Content Delivery Networks (CDNs) and Web Application and API Protection (WAAP) systems often fall short when it comes to API protection. They often fail to detect sophisticated API attacks, particularly when they involve the use of legitimate, stolen credentials or when they target flaws in business logic.
The sheer number of APIs in circulation also raises risks associated with forgotten APIs that are no longer used. These ‘shadow’ or ‘zombie’ APIs can become blind spots in an organisation’s security infrastructure. Shadow APIs could be legacy APIs that have simply fallen out of use, or APIs created by developers without proper oversight, meaning they exist outside of an organisation’s officially registered inventory. Because such APIs are not tracked or documented, hackers can potentially breach these systems without detection.
New and greater security challenges are emerging with the growth in generative AI applications. The 2025 State of API Security Report found that 65% of organisations believe generative AI poses a serious to extreme risk to their APIs. In addition, 60% of organisations indicated that the extra API integrations required for AI applications increased their attack surface, raising concerns about risks to sensitive data.
As API usage continues to grow, organisations need to focus on implementing security strategies that can protect against API-related attacks, and which evolve alongside expanding API ecosystems.
There are some important steps organisations can take to manage and secure third-party APIs – steps that closely follow proven best practice in third-party risk management.
APIs have become essential tools in every-day life and business operations, offering many benefits in terms of speed, convenience and efficiency. But due to the difficulty of tracking APIs and monitoring their security, they can also expose organisations to significant risks. Conventional IT security tools are often inadequate to detect or prevent API-related security breaches, and these attacks can often give hackers access to the systems and data of organisations throughout the supply chain. That’s why escalating API security must be a priority for all organisations.
The best practices used in third-party risk management, including proactive security assessments and continuous monitoring, provide a blueprint for API risk management and protection – helping organisations to create safer environments for third-party API integration and keep pace with emerging threats.
Sign up to our monthly newsletter to receive exclusive research and analyses by our experts, the latest case studies from our clients as well as guides, explainers and more to turn your supply chain risk management programme into a resounding success story.
