Securing API Keys: Lessons from the Anadolu Sigorta and HGS Breaches

Recently, the OneSignal API keys for the "Anadolu Sigorta" and "HGS" applications were compromised by a hacker, leading to unauthorized messages being sent to users.This incident underscores the critical importance of securing API keys to prevent such breaches.

Understanding Anadolu Sigorta and HGS

Anadolu Sigorta, established in 1925 under the initiative of Mustafa Kemal Atatürk, is one of Turkey's leading insurance companies, offering a wide range of services including vehicle, property, and health insurance. The company has been a pioneer in the Turkish insurance sector, continually adapting to modern technologies and customer needs.

HGS (Hızlı Geçiş Sistemi), or Fast Pass System, is an electronic toll collection system widely used by Turkish drivers for seamless passage through toll roads and bridges.Given its convenience, HGS is utilized by nearly all licensed drivers in Turkey, making it an integral part of daily commuting and travel.

The Breach Incident

In December 2024, unauthorized messages containing offensive language and threats were sent to users of both the Anadolu Sigorta and HGS applications.These messages demanded payments in Bitcoin, threatening to expose user data if the demands were not met.Investigations revealed that the hacker had gained access to the OneSignal API keys for these applications, allowing them to send push notifications without authorization.

The Importance of Securing API Keys

API keys serve as vital credentials that grant access to application programming interfaces (APIs), enabling different software applications to communicate and share data.If these keys are exposed or inadequately protected, malicious actors can exploit them to gain unauthorized access, manipulate data, or, as seen in this incident, send fraudulent messages to users.

Measures to Protect API Keys

1. Implement Strong Authentication Protocols: Utilize robust authentication methods such as OAuth to ensure that only authorized entities can access the API.

2. Encrypt Data Transmission: Employ SSL/TLS protocols to encrypt data transmitted between clients and servers, safeguarding it from interception.

3. Secure Storage of API Keys: Store API keys in secure environments, avoiding hard-coding them into applications or exposing them in public repositories.

4. Regularly Rotate API Keys: Periodically update API keys to minimize the risk associated with potential key exposure.

5. Implement IP Whitelisting: Restrict API access to specific IP addresses to prevent unauthorized usage from unknown sources.

6. Monitor API Usage: Continuously monitor API calls and set up alerts for suspicious activities to detect and respond to potential breaches promptly.

Conclusion

The incidents involving Anadolu Sigorta and HGS highlight the necessity of stringent API key management and security practices.By implementing comprehensive security measures, organizations can protect their systems and users from unauthorized access and potential threats, maintaining trust and ensuring the integrity of their services.