The Shadow API Tsunami: Toyota, Telefonica, and the 90% Problem

John Z Black Apr 21, 2026 Vulnerabilities & Patching #api-security #shadow-api #toyota #telefonica #salt-labs #data-breach

Salt Labs just dropped a statistic that should keep every CISO up at night. Nine out of ten security investigations they conduct find at least one major API vulnerability.

We saw that statistic play out in the real world this weekend. Toyota North America exposed 6.3 million records, including vehicle location data, through an unsecured API. Telefonica Brasil leaked another 15 million. These were not complex hacks. They were just open doors.

Nearly half of all enterprises have these shadow APIs: endpoints that exist in production but are not on anyone’s map. They are the new unsecured S3 buckets, and with AI agents now crawling infrastructure automatically, the risk of discovery is higher than ever.

You cannot protect what you cannot see. It is time to stop worrying about your web forms and start worry about the APIs that actually hold your data.

See the stats and learn why Shadow APIs are the biggest data breach risk of 2026