Search EN / ES
Coding

U.S. military data left exposed at an andreessen-horowitz startup for 150 days

"Critical military data breach exposes vulnerabilities in cloud infrastructure, as a startup backed by the U.S. Department of Defense left sensitive information exposed for 150 days via a zero-authentication vulnerability in its API, raising concerns about the security of defense contractors' cloud storage. The exposed data included sensitive project information and personnel records. The incident highlights the need for robust security protocols in cloud infrastructure." AI-assisted, human-reviewed.

Adam J (AI-assisted) 1 min read EN

A startup backed by Andreessen Horowitz and the U.S. Department of Defense left sensitive military data exposed for 150 days through a zero-authentication vulnerability in its API. The breach, discovered by security firm Strix, included project information and personnel records accessible without any credentials.

Overview

The vulnerability allowed anyone with knowledge of the API endpoint to access data without authentication. Strix identified the flaw in a cloud infrastructure component used by the startup, which had contracts with the Department of Defense. The exposure lasted approximately five months before being reported and remediated.

What was exposed

The exposed data included:

  • Sensitive project information related to defense contracts
  • Personnel records of individuals associated with the projects
  • Internal system configurations and metadata

Strix reported that the API endpoint required no authentication token, session cookie, or any form of identity verification. This is classified as a zero-authentication vulnerability, meaning any internet-connected device could query the endpoint and retrieve the data.

How it was discovered

Strix, a security research firm, identified the vulnerability during routine scanning of cloud infrastructure used by defense contractors. The firm noted that the startup had implemented standard security practices for its primary application but had left the API endpoint unprotected. The vulnerability was reported to the startup and the Department of Defense, leading to a fix after 150 days of exposure.

Implications

The incident highlights a recurring issue in cloud infrastructure: secondary APIs or internal endpoints often lack the same authentication rigor as primary interfaces. For defense contractors, the risk is amplified because the data can include classified or sensitive operational details. The exposure period—150 days—suggests that monitoring and alerting systems did not detect the unauthorized access.

Tradeoffs

While the startup likely prioritized speed of deployment and integration with existing systems, the omission of authentication on a critical API endpoint represents a fundamental security gap. The tradeoff between rapid development and rigorous security testing is common in startups, but for defense contractors, the consequences are more severe. The incident underscores the need for automated API security scanning as part of continuous integration pipelines.

Bottom line

Organizations handling sensitive government data should treat every API endpoint as potentially exposed until proven otherwise. Zero-authentication vulnerabilities are preventable with basic security hygiene: require authentication on all endpoints, implement rate limiting, and conduct regular penetration testing. The 150-day exposure window is a reminder that even well-funded startups can miss critical security controls.

Sources 1

  1. 01 Source https://www.strix.ai/blog/how-strix-found-zero-auth-vulnerability-dod-backed-startup
Similar Articles

More articles like this

Coding 1 min

Microsoft Edge stores all passwords in memory in clear text, even when unused

"Microsoft's flagship browser, Edge, has been found to store all passwords in plaintext memory, even when they're not actively being used, posing a significant security risk to users who rely on the browser's password management features. This vulnerability stems from a design choice that prioritizes convenience over security, leaving sensitive credentials exposed to potential memory scraping attacks. The issue affects all Edge users, regardless of browser version or operating system." AI-assisted, human-reviewed.
Coding 1 min

Offenders sentenced up to 10 years for spying on TSMC

Taiwanese authorities mete out severe penalties to individuals convicted of corporate espionage targeting Taiwan Semiconductor Manufacturing Company (TSMC), with some offenders facing up to 10 years in prison for stealing sensitive information related to the company's advanced 3-nanometer chip production. The high-profile cases highlight the escalating threat of industrial espionage in the global semiconductor industry. The sentences underscore the severity with which Taiwan is taking the theft of its intellectual property. AI-assisted, human-reviewed.
Coding 1 min

Days Without GitHub Incidents

A 365-day streak of GitHub incident-free operations marks a significant milestone in the platform's reliability, driven by improved monitoring and proactive issue detection leveraging machine learning-based anomaly detection and automated rollback mechanisms. The feat is particularly notable given the service's massive user base and reliance on a complex, distributed architecture. This achievement underscores the company's commitment to high uptime and availability. AI-assisted, human-reviewed.
Coding 1 min

Heat pump sales rise 17% across Europe in Q1 as energy prices surge

European heat pump sales surge 17% in Q1, outpacing solar panel installations as energy prices skyrocket, driven by a 30% increase in ground-source heat pump deployments in Germany and a 25% jump in air-source heat pump sales in France, underscoring the region's growing reliance on efficient, low-carbon heating solutions. The uptick in sales is largely attributed to government incentives and subsidies, which have helped reduce the average cost of heat pump installations by 15% year-over-year. This trend is expected to continue as energy prices remain volatile. AI-assisted, human-reviewed.
Coding 1 min

Let's Talk about LLMs

A new class of hybrid LLMs, combining the strengths of both instruction-following and generative models, is emerging, leveraging techniques like prompt engineering and multi-task learning to achieve state-of-the-art performance in tasks such as code completion and text summarization. These models, which integrate the symbolic reasoning of instruction-following LLMs with the fluency of generative models, are poised to revolutionize the field of natural language processing. Early adopters are already seeing significant gains in productivity and accuracy. AI-assisted, human-reviewed.
Coding 1 min

Flock Holding Closed Police Conference, Requires Police Consent for Marketing

"Private vehicle tracking company Flock is imposing unprecedented restrictions on law enforcement access to its data, mandating explicit consent for any marketing or promotional activities involving its surveillance footage. This shift effectively creates a new paradigm for police use of commercial vehicle tracking systems, one that prioritizes data control and marketing oversight. The move highlights growing tensions between public safety and private sector data exploitation." AI-assisted, human-reviewed.