Hacking the Human Layer: How APIs Supercharge Social Engineering Attacks

By Teresa Pereira — Threat Intelligence Specialist, Siemens Energy | APIsec University Ambassador

Introduction: When Trust Becomes a Threat Vector

APIs are the connective tissue of the internet—powering everything from your mobile apps to your favorite fintech platforms. But what happens when the very APIs designed to enable digital transformation become enablers of deception?

In this blog, we explore the alarming convergence of API technology and social engineering. Based on Teresa’s APIsec|CON '25 talk, this piece dives deep into how open and poorly secured APIs are now a tool in the attacker’s OSINT arsenal—automating reconnaissance and supercharging phishing campaigns with terrifying precision.

Social Engineering 101: Manipulating Minds, Not Machines

Social engineering exploits human psychology—not technical vulnerabilities. From phishing emails to deepfakes, attackers use trust, fear, curiosity, and urgency to trick users into giving away sensitive data or access. And the most effective attacks often begin with data collected during the OSINT (Open-Source Intelligence) phase.

Enter APIs: The Reconnaissance Engine for Social Engineers

Today, attackers aren’t manually scouring social media profiles—they’re using APIs to extract large volumes of personal data at scale. APIs allow malicious actors to gather:

• Names and usernames
• Email addresses and phone numbers
• Account metadata
• Linked third-party services

With just a username or email, an attacker can launch precision-targeted phishing and vishing campaigns that bypass traditional security awareness.

The Duolingo Case: Open APIs, Open Season

In 2023, an attacker scraped data from an open Duolingo API and listed 2.6 million user accounts for sale. Though Duolingo denied it was a breach, the scraped data included usernames, emails, phone numbers, and account types.

What made this worse?

• The API had no authentication or rate limiting
• Sensitive data was overexposed by design
• Credit card info was visible for premium users

This incident serves as a masterclass in how unprotected APIs enable data harvesting—perfect fuel for social engineering.

Relevant OWASP API Security Risks

Duolingo’s oversight hits several key items on the OWASP API Security Top 10:

• API3:2023 – Broken Object Property Level Authorization
• API4:2023 – Unrestricted Resource Consumption
• API9:2023 – Improper Inventory Management
• API10:2023 – Unsafe Consumption of APIs

APIs that fail to implement proper access controls, sanitize outputs, or monitor usage can easily become data-leaking endpoints—magnets for attackers looking to phish, vish, or scam.

From Scraping to Scamming: Automating the Human Exploit Chain

Using scraped API data, attackers can:

• Personalize phishing emails for credibility
• Mimic legitimate services in SMS (smishing) or calls (vishing)
• Tailor attacks to roles (e.g., finance or HR teams)
• Chain OSINT data with generative AI for scalable spearphishing

Even tools like ChatGPT and PenTestGPT can be misused to craft near-perfect phishing emails—with urgency, context, and even email signatures built in.

Pro Tips for AppSec Teams

To defend your APIs against social engineering-enabling misuse:

✅ Minimize exposed data—show only what’s necessary
✅ Enforce strict rate limiting and IP throttling
✅ Require API authentication—even for non-critical endpoints
✅ Audit and inventory all public-facing APIs regularly
✅ Monitor for scraping behavior or abnormal access patterns

Final Thought: Forgotten APIs Can Be the Weakest Link

Even if your core systems are secure, a single forgotten or misconfigured API can open a side door for attackers. The OSINT landscape is evolving fast—and APIs are now central to both defense and attack strategies.

‍