“[Company] suffers data breach, millions of customer affected” Everybody has seen this headline multiple times. Most recently, it was T-Mobile, but in the last three years that has also been Instagram, Facebook, Tinder, Air Canada, Panera, the IRS, and the most devastating of all, Equifax. Those are just the ones we know about. Luckily, the T-Mobile attack was mitigated by network and traffic monitoring, but that makes them the exception. What all of these breaches all have in common is their API design and their fundamentally flawed approach to security which most likely occurred due to a simple reason: the use cases and users the API was designed for changed over time and no one realized the initial assumptions, constraints, and requirements had also changed.To put it another way, our APIs are being used for applications and situations we never envisioned. Unfortunately, that doesn’t absolve us of responsibility. The entire.