Surge in API Attacks Exposes Sensitive Data Across Enterprises – 258 Daily Incidents per Firm in 2025
What Happened – Akamai’s 2026 State of the Internet report shows a steady climb in malicious traffic targeting APIs and web applications. The average enterprise faced 258 API‑related attacks per day in 2025, up from 121 in 2024, with most incidents stemming from misconfiguration, weak authentication, and behavior‑based threats that blend into normal traffic.
Why It Matters for TPRM –
- API attacks now constitute a routine operational risk, not a rare event.
- Misconfigured or poorly authenticated APIs can leak sensitive customer data, inflating breach liability for third‑party vendors.
- Automated, AI‑driven campaigns drive up infrastructure costs and can mask credential‑theft or data‑exfiltration attempts.
Who Is Affected – Cloud‑SaaS providers, API platform vendors, fintech, health‑tech, retail, and any organization that exposes public or partner‑facing APIs.
Recommended Actions –
- Conduct a comprehensive API inventory and classify each endpoint by data sensitivity.
- Harden authentication and authorization controls; enforce least‑privilege and token‑scoping.
- Deploy API‑specific WAF/behavior‑analytics solutions to detect anomalous request patterns.
- Regularly scan for misconfigurations and apply a “shift‑left” security testing cadence in CI/CD pipelines.
Technical Notes – Attack vectors are dominated by configuration errors, weak auth, and behavior‑based abuse that mimics legitimate workflows. No specific CVEs were cited, but the exposure includes personally identifiable information (PII), payment data, and proprietary business logic. Source: Help Net Security – Akamai API Attack Trends Report