Unprotected API Leak Exposes 2.5 Million Student Loan Records

An attacker exploited an unauthenticated API endpoint on a major student loan servicer’s database, pulling personal information for roughly 2.5 million borrowers. The vulnerable endpoint allowed bulk extraction of records and went unnoticed for several weeks before security teams discovered the activity.

The breach released names, Social Security numbers, loan balances, and contact details, creating a ripe environment for identity theft and fraud. Defenders must prioritize API security—enforcing authentication, rate limiting, and thorough logging—to prevent similar data exfiltration and ensure rapid detection of abnormal access patterns.

Categories: Data Breaches, Identity & Access Management, Compliance & Regulation

Source: Read original article