Threat detection company CloudSEK has found tens of applications with hardcoded admin secrets and thousands of applications that leak Algolia API keys, both of which could allow hackers to steal the data of millions of users.
The Algolia API enables businesses to add features like search, discovery, and recommendations to their applications. Over 11,000 businesses, including Lacoste, Slack, Medium, and Zendesk, use the API. According to CloudSEK, 1,550 applications exposed Algolia API keys, including 32 applications with hardcoded admin passwords that gave attackers access to predefined Algolia API keys.
According to CloudSEK, more than 2.5 million people downloaded the offending 32 apps, which could have exposed user data to malicious attacks.