API security spike

Stanford researchers published a preprint analyzing 10 million webpages and identified 1,748 distinct API credentials tied to 14 service providers across nearly 10,000 pages, with exposures persisting from a month to multiple years. (arxiv.org) The Akamai 2025 API Security Impact Study surveyed more than 800 IT and security professionals across China, India, Japan and Australia and found 85% of organizations reported at least one API-related security incident in the past 12 months, with average incident costs exceeding US$580,000. (odin-info.com.tw) Akamai’s telemetry showed the average number of daily API attacks rose 113% in 2025 versus the prior year, that each enterprise client assessed had roughly 3,000 APIs on average with about 12% exhibiting vulnerabilities, and that the leading root causes were security misconfiguration (~40%) and broken object property level authorization (~35%). (tech.yahoo.com) A live‑application study cited in Forbes scanned 5,600 “vibe‑coded” apps and found more than 2,000 high‑impact vulnerabilities and roughly 400 exposed secrets, while an analysis of open PRs reported AI‑authored code producing about 1.7x more issues and up to 2.74x more security flaws than human‑written code. (forbes.com) Security teams and vendors report adversaries are weaponizing automation and AI to mimic legitimate API workflows, with Akamai noting over 60% of 2025 attacks were anomalous workflows and bots that evade traditional defenses and can exhaust costly AI tokens. (tech.yahoo.com) The web‑scale credential study traced most exposures to JavaScript bundling, dynamic resource inclusion, and third‑party artifacts rather than static source files, and researchers say responsible disclosure led to a measurable reduction in exposed credentials after notification. (arxiv.org)