Hacking the Human Layer: How APIs Supercharge Social Engineering Attacks
“Your APIs may be fueling phishing attacks—and you may not even know it. Learn how attackers use APIs for precision OSINT and how AppSec teams can fight back.”

Hacking the Human Layer: How APIs Supercharge Social Engineering Attacks
By Teresa Pereira — Threat Intelligence Specialist, Siemens Energy | APIsec University Ambassador
Introduction: When Trust Becomes a Threat Vector
APIs are the connective tissue of the internet—powering everything from your mobile apps to your favorite fintech platforms. But what happens when the very APIs designed to enable digital transformation become enablers of deception?
In this blog, we explore the alarming convergence of API technology and social engineering. Based on Teresa’s APIsec|CON '25 talk, this piece dives deep into how open and poorly secured APIs are now a tool in the attacker’s OSINT arsenal—automating reconnaissance and supercharging phishing campaigns with terrifying precision.
Social Engineering 101: Manipulating Minds, Not Machines
Social engineering exploits human psychology—not technical vulnerabilities. From phishing emails to deepfakes, attackers use trust, fear, curiosity, and urgency to trick users into giving away sensitive data or access. And the most effective attacks often begin with data collected during the OSINT (Open-Source Intelligence) phase.
Enter APIs: The Reconnaissance Engine for Social Engineers
Today, attackers aren’t manually scouring social media profiles—they’re using APIs to extract large volumes of personal data at scale. APIs allow malicious actors to gather:
- Names and usernames
- Email addresses and phone numbers
- Account metadata
- Linked third-party services
With just a username or email, an attacker can launch precision-targeted phishing and vishing campaigns that bypass traditional security awareness.
The Duolingo Case: Open APIs, Open Season
In 2023, an attacker scraped data from an open Duolingo API and listed 2.6 million user accounts for sale. Though Duolingo denied it was a breach, the scraped data included usernames, emails, phone numbers, and account types.
What made this worse?
- The API had no authentication or rate limiting
- Sensitive data was overexposed by design
- Credit card info was visible for premium users
This incident serves as a masterclass in how unprotected APIs enable data harvesting—perfect fuel for social engineering.
Relevant OWASP API Security Risks
Duolingo’s oversight hits several key items on the OWASP API Security Top 10:
- API3:2023 – Broken Object Property Level Authorization
- API4:2023 – Unrestricted Resource Consumption
- API9:2023 – Improper Inventory Management
- API10:2023 – Unsafe Consumption of APIs
APIs that fail to implement proper access controls, sanitize outputs, or monitor usage can easily become data-leaking endpoints—magnets for attackers looking to phish, vish, or scam.
From Scraping to Scamming: Automating the Human Exploit Chain
Using scraped API data, attackers can:
- Personalize phishing emails for credibility
- Mimic legitimate services in SMS (smishing) or calls (vishing)
- Tailor attacks to roles (e.g., finance or HR teams)
- Chain OSINT data with generative AI for scalable spearphishing
Even tools like ChatGPT and PenTestGPT can be misused to craft near-perfect phishing emails—with urgency, context, and even email signatures built in.
Pro Tips for AppSec Teams
To defend your APIs against social engineering-enabling misuse:
✅ Minimize exposed data—show only what’s necessary
✅ Enforce strict rate limiting and IP throttling
✅ Require API authentication—even for non-critical endpoints
✅ Audit and inventory all public-facing APIs regularly
✅ Monitor for scraping behavior or abnormal access patterns
Final Thought: Forgotten APIs Can Be the Weakest Link
Even if your core systems are secure, a single forgotten or misconfigured API can open a side door for attackers. The OSINT landscape is evolving fast—and APIs are now central to both defense and attack strategies.
Latest Articles
Earn your APIsec University Certificate
Earn an APIsec University certificate and badge for completing any of our courses.
Post your badge on LinkedIn and share your accomplishments. You can even receive CPE credits for taking these courses.
