Security · 1h ago
API Scrape Postmortem: How 251 Requests Nearly Drained a Database
An attacker made 251 requests to a visa API, extracting 0.6% of its 39,585-pair database before the key was revoked. The requests showed a methodical pattern: one passport fully scraped at ~25 requests per minute, then a move to the next. The incident highlights that rate limits are cost controls, not security measures, and that logging must capture network-level data to block repeat offenders.
Meridian48 take
The author's forensic breakdown is a practical lesson for any API builder, but the real takeaway is that without IP-level logging, blocking a key is just a speed bump for a determined scraper.
Read the full reporting
Anatomy of an API scrape: reading 251 requests like a crime scene →
DEV Community
api-securityscraping-defense