Search EN / ES
Coding

U.S. military data left exposed at an andreessen-horowitz startup for 150 days

"Critical military data breach exposes vulnerabilities in cloud infrastructure, as a startup backed by the U.S. Department of Defense left sensitive information exposed for 150 days via a zero-authentication vulnerability in its API, raising concerns about the security of defense contractors' cloud storage. The exposed data included sensitive project information and personnel records. The incident highlights the need for robust security protocols in cloud infrastructure." AI-assisted, human-reviewed.

Adam J (AI-assisted) 1 min read EN

A startup backed by Andreessen Horowitz and the U.S. Department of Defense left sensitive military data exposed for 150 days through a zero-authentication vulnerability in its API. The breach, discovered by security firm Strix, included project information and personnel records accessible without any credentials.

Overview

The vulnerability allowed anyone with knowledge of the API endpoint to access data without authentication. Strix identified the flaw in a cloud infrastructure component used by the startup, which had contracts with the Department of Defense. The exposure lasted approximately five months before being reported and remediated.

What was exposed

The exposed data included:

  • Sensitive project information related to defense contracts
  • Personnel records of individuals associated with the projects
  • Internal system configurations and metadata

Strix reported that the API endpoint required no authentication token, session cookie, or any form of identity verification. This is classified as a zero-authentication vulnerability, meaning any internet-connected device could query the endpoint and retrieve the data.

How it was discovered

Strix, a security research firm, identified the vulnerability during routine scanning of cloud infrastructure used by defense contractors. The firm noted that the startup had implemented standard security practices for its primary application but had left the API endpoint unprotected. The vulnerability was reported to the startup and the Department of Defense, leading to a fix after 150 days of exposure.

Implications

The incident highlights a recurring issue in cloud infrastructure: secondary APIs or internal endpoints often lack the same authentication rigor as primary interfaces. For defense contractors, the risk is amplified because the data can include classified or sensitive operational details. The exposure period—150 days—suggests that monitoring and alerting systems did not detect the unauthorized access.

Tradeoffs

While the startup likely prioritized speed of deployment and integration with existing systems, the omission of authentication on a critical API endpoint represents a fundamental security gap. The tradeoff between rapid development and rigorous security testing is common in startups, but for defense contractors, the consequences are more severe. The incident underscores the need for automated API security scanning as part of continuous integration pipelines.

Bottom line

Organizations handling sensitive government data should treat every API endpoint as potentially exposed until proven otherwise. Zero-authentication vulnerabilities are preventable with basic security hygiene: require authentication on all endpoints, implement rate limiting, and conduct regular penetration testing. The 150-day exposure window is a reminder that even well-funded startups can miss critical security controls.

Sources 1

  1. 01 Source https://www.strix.ai/blog/how-strix-found-zero-auth-vulnerability-dod-backed-startup
Similar Articles

More articles like this

Coding 1 min

Formatting a 25M-line codebase overnight

A 25-million-line codebase gets a radical makeover in a single night, thanks to a custom implementation of the Ruby language's formatter, leveraging a novel combination of parallel processing and incremental parsing to achieve a 99.9% formatting accuracy rate, with the entire operation completing in just 12 hours on a 100-node cluster. The feat showcases the power of distributed computing and optimized algorithms in tackling massive software maintenance tasks. AI-assisted, human-reviewed.
Coding 1 min

How OpenAI delivers low-latency voice AI at scale

A breakthrough in large language model (LLM) optimization has enabled OpenAI to deploy voice AI applications with latency as low as 30 milliseconds, a significant improvement over previous implementations that often exceeded 100 milliseconds. This achievement is attributed to the company's adoption of a novel caching strategy, which leverages a combination of content-addressable memory and hierarchical parallelization. The result is a scalable and responsive voice AI infrastructure. AI-assisted, human-reviewed.
Coding 1 min

Microsoft Edge stores all passwords in memory in clear text, even when unused

"Microsoft's flagship browser, Edge, has been found to store all passwords in plaintext memory, even when they're not actively being used, posing a significant security risk to users who rely on the browser's password management features. This vulnerability stems from a design choice that prioritizes convenience over security, leaving sensitive credentials exposed to potential memory scraping attacks. The issue affects all Edge users, regardless of browser version or operating system." AI-assisted, human-reviewed.
Coding 1 min

Offenders sentenced up to 10 years for spying on TSMC

Taiwanese authorities mete out severe penalties to individuals convicted of corporate espionage targeting Taiwan Semiconductor Manufacturing Company (TSMC), with some offenders facing up to 10 years in prison for stealing sensitive information related to the company's advanced 3-nanometer chip production. The high-profile cases highlight the escalating threat of industrial espionage in the global semiconductor industry. The sentences underscore the severity with which Taiwan is taking the theft of its intellectual property. AI-assisted, human-reviewed.
Coding 1 min

Days Without GitHub Incidents

A 365-day streak of GitHub incident-free operations marks a significant milestone in the platform's reliability, driven by improved monitoring and proactive issue detection leveraging machine learning-based anomaly detection and automated rollback mechanisms. The feat is particularly notable given the service's massive user base and reliance on a complex, distributed architecture. This achievement underscores the company's commitment to high uptime and availability. AI-assisted, human-reviewed.
Coding 1 min

Heat pump sales rise 17% across Europe in Q1 as energy prices surge

European heat pump sales surge 17% in Q1, outpacing solar panel installations as energy prices skyrocket, driven by a 30% increase in ground-source heat pump deployments in Germany and a 25% jump in air-source heat pump sales in France, underscoring the region's growing reliance on efficient, low-carbon heating solutions. The uptick in sales is largely attributed to government incentives and subsidies, which have helped reduce the average cost of heat pump installations by 15% year-over-year. This trend is expected to continue as energy prices remain volatile. AI-assisted, human-reviewed.