Metal padlock on laptop keyboard showing USPTO data leak

U.S. Patent and Trademark Office API Data Leak Has Exposed Over 60,000 Private Addresses Since Early 2020

About 3% of those that submitted recent patent applications to the U.S. Patent and Trademark Office (USPTO) may have had their private home addresses exposed in a data leak, a total of about 61,000 people.

The USPTO says that an API vulnerability was present between February 2020 and March 2023, making it possible for unauthorized third parties to retrieve addresses attached to patent applications. Filers are required to provide a personal residential address as part of a measure to reduce fraudulent trademark filings.

USPTO temporarily shuts down access to bulk information products due to data leak

The faulty API was part of the Trademark Status and Document Review system, used by patent applicants (and USPTO staff) to check the status of pending and registered trademarks. The private address data collected with applications was also shared with a bulk data storage system that is used for academic and economic research.

In the wake of the data leak, USPTO has temporarily blocked access to all non-critical APIs and taken bulk data products offline until an investigation and any necessary permanent fixes are implemented. The data leak appears to have been addressed inadvertently at the beginning of April of this year, when USPTO started masking personal information as part of a broader campaign of privacy improvements in data sets that are regularly accessed by the public.

Attackers do not appear to have been systematically scraping all of the exposed applications. USPTO says that the roughly 61,000 people impacted were about 3% of the total number of filers during the vulnerability window. The agency has also said it has seen no signs of the data being abused, though that generally means that it has not popped up in some obvious place on the dark web.

There is no indication as of yet as to who might have accessed the data. USPTO spokesperson Paul Fucito said that the agency had “failed to locate some of the more technical exit points” and properly protect data passing through those points.

For-profit criminal hackers increasingly on the hunt for API vulnerabilities

API security trends show that for-profit hackers are increasingly interested in them as a low-risk, low-effort means of collecting bulk data that can be sold on the dark web. While the fruits of this scraping are generally not as lucrative as the private information that can be found by phishing or exploiting a vulnerability to get into a network, the USPTO data leak demonstrates how these breach windows can stretch for years without detection.

API use is almost ubiquitous now, with 98% of companies responding to a March 2022 Gartner poll saying that they were either using them or planned to use them at that point. Unsurprisingly, this mass adoption is also accompanied by a spike in vulnerabilities, misconfigurations and unintentional exposures.API security firm Wallarm’s year-end threat statistics report for 2022, based in part on incidents involving its customers, found that API-related attacks were up 197% on the year and that published CVEs involving an API issue increased by 78%. Attackers are also much quicker to exploit vulnerable APIs when they are discovered and reported on, from an average lead time of 58 days at the beginning of 2022 to -3 days by the end of the year.

The numbers point to threat actors tending to be the ones to first find APIs that can be mined for data leaks, which in turns points to an increasing focus on this avenue by organized and professional criminals. There are a number of possible reasons for this, but one of the leading candidates is a simple lack of appropriate maintenance and care for APIs. Multiple recent surveys indicate that most organizations do not have full visibility into their ecosystem of APIs, and it is relatively rare for them to keep full inventories that specify which ones are handling the sorts of sensitive data that attackers will key in on.

Real-time testing of APIs also appears to be quite rare. NoName Security’s September 2022 report on API security trends found that only 7% of its security professional respondents said that they test in real-time for indicators of API abuse; it is much more common for tests of this nature to be done once a month or even less often.

Major API data leaks involving multiple millions of accounts are becoming much more common. Some of the most serious recent examples are Australian telecoms giant Optus’ September 2022 loss of 10 million customer records, marketing platform Beetle Eye’s early 2022 loss of seven million records of sales leads due to a misconfigured Amazon AWS account, Twitter’s API breach of 2021-2022 that resulted in at least 5.4 million records of private profile information being exposed, and a February data leak from Scandinavian Airlines that exposed over 7.3 million records.

Jason Kent, Hacker in Residence for Cequence Security, notes that hackers are actively probing for the more obscure APIs that organizations are likely to overlook: “You see, the more ‘obfuscated,’ the more ‘who would do that?’ the more often the breach. Sometimes the data isn’t leaked off of one of the more technical exit points but this tends to be the way I would describe our traditionally defined Unholy Trinity of API security. In 2023 API Security Parlance, they had API9:2023 Improper Inventory Management that allowed an attacker to find the endpoint, learn that it wasn’t authenticated API2:2023 Broken User Authentication that could have allowed an automated attacker to pull all of the impacted data in a very short period of time, API6:2023 Unrestricted Access to Sensitive Business Flows. I’m glad they did an exercise in 2020 to minimize the impact of a future breach but the data goes back further to where this safety net isn’t in place and allows that data out.”