The call came at 2:47 AM on a Tuesday in October 2024. I’d been following API security incidents for fifteen years, but this one made my coffee go cold as the CISO walked me through what happened.

Their fintech had discovered attackers extracting customer financial data through /api/v2/admin/debug-metrics — an endpoint that shouldn’t exist. No developer remembered building it. Their OpenAPI specs contained zero references to it. Yet there it was, quietly serving PII to anyone who stumbled across the URL.