Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Public API exposure and identity aggregation: what IAM teams should watch


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10158
Topic starter  

TL;DR: An alleged Polymarket exposure involving more than 10 million records and about 300,000 user-associated identities appears, based on current evidence, to stem from aggregation of public APIs and blockchain data rather than backend compromise, according to Gurucul. The incident shows how exposed metadata can still create privacy, profiling, and reconnaissance risk when identity signals are easy to correlate.

NHIMG editorial — based on content published by Gurucul covering the alleged Polymarket data exposure: LLMjacking: How Attackers Hijack AI Using Compromised NHIs

By the numbers:

Questions worth separating out

Q: What breaks when public APIs expose too much identity metadata?

A: Public APIs become a source of identity intelligence rather than just application functionality.

Q: Why do public metadata and blockchain-linked identities increase privacy risk?

A: Because they create a durable correlation layer.

Q: How can security teams tell whether an API is enabling large-scale scraping?

A: Look for sequential request patterns, repeated access across related endpoints, high-frequency lookups from the same source, and unusually broad traversal of records.

Practitioner guidance

  • Map joinable identity fields across public APIs Identify which fields can be combined to reconstruct user identity, wallet attribution, activity history, or behavioural patterns.
  • Reduce metadata returned by unauthenticated or lightly authenticated endpoints Remove fields that are not operationally necessary, especially those that enable correlation across systems.
  • Test for automated enumeration and scraping behaviour Monitor for sequential requests, high-frequency access from single sources, and repeated lookups across related endpoints.

What's in the full article

Gurucul's full blog post covers the operational detail this post intentionally leaves for the source:

  • The sample-data correlation steps used to compare public API output with the circulated dataset.
  • The specific monitoring activities Gurucul recommends for detecting automated enumeration and scraping.
  • The full list of exposed-data risks tied to wallet deanonymisation, profiling, and behavioural mapping.
  • The recommended defensive actions for rate limiting, authentication, and anomaly detection at the API layer.

👉 Read Gurucul's analysis of the alleged Polymarket data exposure →

Public API exposure and identity aggregation: what IAM teams should watch?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 9713
 

Public data aggregation is a governance failure when identity signals remain machine-readable at scale. This incident appears to sit closer to exposure-by-enumeration than backend compromise, but that distinction does not reduce the identity risk. When API output, blockchain attribution, and user metadata can be assembled into a profile, the governance problem is the amount of identity intelligence the system makes available without any meaningful friction. Practitioners should treat public data minimisation as an identity control, not a privacy afterthought.

A few things that frame the scale:

  • 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs , Key Challenges and Risks.
  • Only 5.7% of organisations have full visibility into their service accounts, which shows how often identity exposure persists without clear ownership or control.

A question worth separating out:

Q: Who is accountable when exposed platform data can be assembled into user profiles?

A: Accountability sits with the platform owner and the teams governing data exposure, access design, and identity minimisation. If public or lightly protected endpoints can be combined into a profiling dataset, the issue is not just abuse by an external actor. It is a governance failure in how the data surface was designed and approved.

👉 Read our full editorial: Polymarket data exposure shows how public APIs enable identity aggregation



   
ReplyQuote
Share: