Inside this Year's Biggest API breaches: Real Stories, Real Lessons

In this episode of The Appi Hour, Dan is joined by Dave, Head of Products at APIsec, to unpack some of the most eye-opening API breaches making waves. From leaked API keys at xAI, to McDonald’s exposing 64 million job applications, to logic flaws in Base44’s vibe-coding platform, and even a Volkswagen app that let attackers brute-force their way into cars—the stories are as shocking as they are instructive.

Dave brings frontline experience from working with customers on API security, highlighting how seemingly small oversights—like hardcoded keys, weak authentication, or unchecked authorization—can snowball into massive vulnerabilities. Together, they connect each case to the OWASP API Security Top 10 and share practical steps to avoid these same pitfalls.

Whether you’re a developer, security engineer, or simply curious about how everyday apps get hacked, this conversation offers valuable insights (and a reminder of how critical APIs are in today’s digital world).

What you’ll learn:

• Why API keys remain one of the most common—and preventable—security leaks

• How researchers accessed 64 million McDonald’s job applications via a simple IDOR flaw

• The hidden risks of convenience-driven platforms like Base44

• How a used Volkswagen exposed its owner’s data through predictable APIs

• Best practices for preventing brute force, excessive data exposure, and broken authorization

Tune in, take notes, and walk away with actionable tactics to strengthen your own API security posture.