U.S. military data left exposed at an andreessen-horowitz startup for 150 days
A startup backed by Andreessen Horowitz and the U.S. Department of Defense left sensitive military data exposed for 150 days through a zero-authentication vulnerability in its API. The breach, discovered by security firm Strix, included project information and personnel records accessible without any credentials. ## Overview The vulnerability allowed anyone with knowledge of the API endpoint to access data without authentication. Strix identified the flaw in a cloud infrastructure component used by the startup, which had contracts with the Department of Defense. The exposure lasted approximately five months before being reported and remediated. ## What was exposed The exposed data included: - Sensitive project information related to defense contracts - Personnel records of individuals associated with the projects - Internal system configurations and metadata Strix reported that the API endpoint required no authentication token, session cookie, or any form of identity verification. This is classified as a zero-authentication vulnerability, meaning any internet-connected device could query the endpoint and retrieve the data. ## How it was discovered Strix, a security research firm, identified the vulnerability during routine scanning of cloud infrastructure used by defense contractors. The firm noted that the startup had implemented standard security practices for its primary application but had left the API endpoint unprotected. The vulnerability was reported to the startup and the Department of Defense, leading to a fix after 150 days of exposure. ## Implications The incident highlights a recurring issue in cloud infrastructure: secondary APIs or internal endpoints often lack the same authentication rigor as primary interfaces. For defense contractors, the risk is amplified because the data can include classified or sensitive operational details. The exposure period—150 days—suggests that monitoring and alerting systems did not detect the unauthorized access. ## Tradeoffs While the startup likely prioritized speed of deployment and integration with existing systems, the omission of authentication on a critical API endpoint represents a fundamental security gap. The tradeoff between rapid development and rigorous security testing is common in startups, but for defense contractors, the consequences are more severe. The incident underscores the need for automated API security scanning as part of continuous integration pipelines. ## Bottom line Organizations handling sensitive government data should treat every API endpoint as potentially exposed until proven otherwise. Zero-authentication vulnerabilities are preventable with basic security hygiene: require authentication on all endpoints, implement rate limiting, and conduct regular penetration testing. The 150-day exposure window is a reminder that even well-funded startups can miss critical security controls. AI-assisted, human-reviewed.
