The API Self-Check: How Hackers Find the Endpoint You Forgot About
In June 2026, ServiceNow disclosed that a customer-facing API endpoint had been shipped with authentication switched off, letting anyone query internal tables on hosted customer instances without a password. It wasn’t an isolated case. In 2025, a deprecated Stripe payment endpoint, still connected to live systems, let attackers validate stolen card numbers for months before anyone noticed.