More Than 30% of All Malicious Attacks Target Shadow APIs

Published on

New Research Spotlights How Attackers are Capitalising on API-Driven Innovation

LONDON, UK. – October 4, 2022 – Cequence Security, the leading provider of Unified API Protection, today released its first half 2022 report titled, “API Protection Report: Shadow APIs and API Abuse Explode.” Chief among the findings was approximately 5 billion (31%) malicious transactions targeted unknown, unmanaged and unprotected APIs, commonly referred to as shadow APIs, making this the top threat challenging the industry.

“The reality is the everyday luxuries we enjoy as consumers like ridesharing and food delivery services are built on APIs,” said Ameya Talwalkar, CEO and founder, Cequence Security. “Our research found that the innovative ways companies can improve customer experiences are also the biggest threat to their security, customer trust and ultimately, their bottom line. These companies must rethink what is prioritised in their security strategy, starting with API protection.”

Developed by the CQ Prime Threat Research team, the report is based on an analysis of more than 20 billion API transactions observed over the first half of 2022 and seeks to highlight the top API threats plaguing organisations today.

Top Threat #1: Shadow APIs Hit with 5 Billion Malicious Requests

Roughly 5 billion (31%) of the 16.7 billion malicious requests observed targeted unknown, unmanaged and unprotected APIs, commonly referred to as shadow APIs, spanned a wide range of use cases. From the highly volumetric sneaker bots attempting to grab the latest Dunks or Air Jordans to stealthy attackers attempting a slow trickle of card testing fraud on stolen credit cards to pure brute force credential stuffing campaigns. Driven by high-volume content scraping as a precursor to shopping bot and gift card attacks, attacks on shadow APIs surged in April 2022 and have continued to rise in volume throughout the year.

Top Threat #2: API Abuse

Based on 3.6 billion attacks blocked by the CQ Prime Threat Research team, the second largest API security threat mitigated during the first half of 2022 was API abuse, meaning attackers targeting properly coded and inventoried APIs. This finding highlights the need to use industry-standard lists like OWASP as a starting point, not an end goal. The most blocked attacks are indicative of the strategies attackers are using. These included:

  • 3 billion shopping bots targeting sneakers or luxury goods
  • 290 million gift card checking attacks
  • The attempted creation of approximately 237 million fake accounts on popular dating and shopping applications

Top Threat #3: The Unholy Trinity: Credential Stuffing, Shadow APIs & Sensitive Data Exposure

Based on 100 million attacks, the combined use of API2 (Broken User Authentication), API3 (Excessive Data Exposure) and API9 (Improper Assets management) signifies two things: attackers are performing detailed analysis of how each API works, how they interact with each other, and the expected outcome and developers need to stay ever vigilant in following API coding best practices.

Account Takeover Mitigation Saves $193 Million

Highlighting the continued popularity of account takeovers (ATO), the CQ Prime Threat Research team helped customers mitigate roughly 1.17 billion malicious account login requests - all against APIs. The popularity of ATOs can be tied directly to their versatility, which has been amplified by the adoption of APIs for account logins and is shown throughout this report. More importantly, the impact of an ATO on the business is significant, with each incident varying in cost from $290 (Juniper Research) and roughly 9 hours of investigative work to $311 (Federal Trade Commission). The mitigation efforts protected roughly 11.7 million accounts which equate to a savings of $193 million across all customers.

“Our analysis and findings are based on real attacks in the wild,” said William Glazier, Director of Threat Research at Cequence Security. “Our findings underscore the importance of IT and security leaders having a complete understanding of how correctly coded APIs, as well as those with errors, can be attacked. The sample size of 20 billion alone means there is a high likelihood that enterprises across industries are impacted by these types of threats.”

The report highlights the importance of understanding the tactics, techniques, and procedures (TTPs) attackers use to exploit risks and how attackers will react to resistance. This means not only making sure that APIs are not susceptible to the OWASP API Security Top 10 as a starting point but also looking at what can be defined as API10+, a category that encompasses the many different ways that a perfectly coded API might be abused.

  • Download the full findings of the report
  • Register for the webinar on Thursday, October 27, 2022, API Protection Report: First Half 2022 Findings at 11 AM PDT and 11 AM BST
  • View the Infographic

About Cequence

Cequence Security, the pioneer of Unified API Protection, is the only solution that unifies API discovery, inventory tracking, risk analysis and native mitigation with proven, real-time threat protection against ever-evolving API attacks. Cequence Security secures more than 6 billion API calls a day and protects more than 2 billion user accounts across our Fortune 500 customers. Our customers trust us to protect their APIs and web applications with the most effective and adaptive defence against online fraud, business logic attacks, exploits and unintended data leakage, which enables them to remain resilient in today’s ever-changing business and threat landscape. Learn more at



Join 34,209 IT professionals who already have a head start

Network with the biggest names in IT and gain instant access to all of our exclusive content for free.

Get Started Now