The last weeks of 2025 have impressively demonstrated what happens when API security becomes an afterthought...
The 700Credit Incident: Anatomy of a Preventable Data Theft
On October 25, 2025, financial services company 700Credit discovered that customer data had been systematically exfiltrated over five months. The result: 5.8 million consumer data records -- roughly 20% of the entire database.
How the Attack Unfolded
In July 2025, attackers first compromised a partner company of 700Credit. The vulnerability was simple: the API used "Consumer Reference IDs" for identification. Anyone who sent such an ID to the endpoint received the complete data in return -- without any authorization check.
Between May and October 2025, the attackers launched a velocity attack: they systematically tried different IDs. It took five months before anyone noticed.
The Problem: Broken Object Level Authorization
BOLA ranks number 1 on the OWASP API Security Top 10. Every API request must verify: "is this specific user allowed to access this specific resource?"
A systematic API security test would have identified this vulnerability in minutes. Automated platforms -- like Venedy -- automatically create different user contexts and systematically test account separation.
React2Shell: When the Time Between Disclosure and Exploitation Vanishes
The Vulnerability
On December 3, 2025, CVE-2025-55182 was published -- a critical RCE vulnerability in React Server Components (CVSS 10.0). Complete server compromise with a single HTTP request.
Exploitation Within Hours
Just hours after publication, researchers observed the first exploitation attempts. GreyNoise identified over 362 unique attacker IPs. By the end of December, 90,300 vulnerable instances were still reachable.
The New Paradigm: Continuous API Security
API security must be continuous, not episodic. Agent-based API testing systems can automatically explore APIs, discover endpoints, and generate intelligent test cases.
What These Incidents Mean
What we need is intelligent, continuous testing that:
- Automatically understands how an API works
- Tests relevant vulnerability classes in a context-aware manner
- Runs continuously, not just before releases
- Can quickly respond to new threats
Sources
700Credit Data Breach:
- SecureMyOrg: How to Identify and Fix BOLA Vulnerabilities in Your APIs
- Qodex: Common API Security Vulnerabilities & Solutions
React2Shell (CVE-2025-55182):
- Bleeping Computer: React2Shell flaw exploited to breach 30 orgs
- Cloudflare: WAF proactively protects against React vulnerability
Test Your APIs?
Discover how Venedy automatically uncovers context-aware vulnerabilities.