The Postman data leak has revealed significant security risks in API development and third-party app ecosystems, with over 30,000 publicly accessible Postman collections containing sensitive data. These collections exposed API keys, access tokens and credentials stored in plain text which could then be used to gain unauthorized access to systems/apps and exfiltrate sensitive data such as personally identifiable information (PII), protected health information (PHI), and internal company data. For example, a third-party vendor’s leaked postman workspace exposed valid credentials to a major athletic brand’s Okta IAM system, allowing potential exfiltration of invoices, shipment details, and trade secrets. The breach underscores the vulnerabilities in insecure API development practices and highlights the importance of monitoring sensitive data traffic across third-party applications.
Security vs. speed
Developers often prioritize delivering features quickly to meet delivery deadlines. This leads to risky practices, such as publicly sharing Postman collections for collaboration and testing, inadvertently exposing sensitive data such as credentials and internal systems data.
Poor access governance
Without strict access controls and review, permissions accumulate over time, often lingering long past their need. This “access creep” increases the risk of unauthorized access to sensitive systems and data.
Insecure credential storage
Storing API keys and other credentials in plaintext within Postman collections is a widespread but preventable issue. Although Postman has a built-in "Vault" feature, it is often underutilized.
Unchecked third-party app integrations
Third-party apps frequently access sensitive organizational data without proper oversight. Organizations often lack visibility into what data these apps consume and share, leaving them vulnerable to breaches.
Mismanaged secrets
The unmanaged proliferation of secrets—including API keys, service accounts, and credentials—significantly expands organizational attack surfaces. These are rarely tracked or decommissioned effectively, leaving them vulnerable to exploitation. Without the ability to map secrets to specific sensitive data flows, organizations lack the critical context to prioritize remediation efforts, secure high-risk access points, or triage security alerts effectively.
Identify exposed credentials and their associated data flows
Organizations must locate exposed Postman collections and identify which third-party apps or internal systems rely on the leaked credentials. The complexity grows with the scale of sensitive data flows and integrations.
Evaluate business impact
Revoking or rotating credentials can disrupt operations. Organizations must map inter-application dependencies and associated secrets carefully before remediation to avoid the risk of breaking business workflow and causing downtime. For example, abruptly rotating an API key could disrupt payment gateways, inventory systems, or even cause system-wide outages.
Revoke or rotate credentials while maintaining audit trails
Credential rotation requires a structured approach—not just revoking compromised secrets but deploying new credentials with minimal operational downtime. This is often a manual and time-intensive process that demands cross-functional coordination (e.g., DevOps, application owners, third-party vendors) to maintain service continuity while maintaining audit logs.
Adopt secure development practices
Strengthen access governance
Improve secrets management
Monitor logs and data flows continuously
The Postman data leak is a critical lesson in how unmanaged API secrets and third-party integrations can create direct breach vectors for attackers to gain unauthorized access to systems, leading to catastrophic exposure and/or exfiltration of sensitive data. Organizations that lack visibility into where credentials are embedded, how they interact with systems handling PII, PHI, or trade secrets, and what data those systems transmit leave themselves vulnerable to stealthy, large-scale data theft.
By correlating secrets with the associated applications and the sensitive data flows they govern—such as payment gateways or customer databases—teams can prioritize securing high-risk access points, enforce secrets hygiene, and detect anomalous access patterns indicative of exfiltration attempts. Proactive monitoring of third-party app ecosystems and data flow is no longer optional; it’s the frontline defense against breaches that weaponize sensitive data flows.
Vorlon’s Third-Party Application Detection and Response (TADR) provides proactive security coverage like you’ve come to expect for endpoints and cloud:
Don’t let insecure API practices and invisible sensitive data flows leave your organization exposed. Book a demo with Vorlon today to learn how we can transform your third-party app security.
About the Author
Security Researcher at Vorlon
Anil Agrawal is a security researcher at Vorlon specializing in SOC optimization and has over eight years of experience in cybersecurity. Before joining Vorlon, he served as a Solutions Architect at Palo Alto Networks, where he designed advanced automation solutions and cybersecurity strategies for Fortune 500 clients. His career includes technical roles at Syracuse University, where he streamlined incident response processes and conducted malware analysis. Anil holds a Master’s degree in Management Information Systems from Syracuse University with a specialization in Information Security Management. Passionate about mitigating third-party application risks, he focuses on pioneering R&D to address evolving cybersecurity challenges. Connect with Anil on LinkedIn to explore collaborations in security innovation and stay updated on his latest contributions.