It must be the season for API security incidents. Hot on the heels of a developer leaking an API key for private Tesla and SpaceX LLMs, researchers have now discovered a set of tools for validating account information via API abuse, leveraging undocumented TikTok and Instagram APIs.

The tools, and assumed exploitation, involve malicious Python packages - checker-SaGaF, stein lurks, and inner core - uploaded to PyPI. These packages automate the process of verifying whether a stolen email, username, or password were linked to an active account.  In this post, we’ll explore the details of this incident and how Wallarm can help protect against similar API misuse.  

What Happened: APIs Turned into Recon Tools

Each of the packages targeted legitimate, largely undocumented API endpoints used by official apps for account recovery, login checks, and signup flows. By leveraging these API endpoints, the tools confirmed whether a given email, username, or password was tied to a valid account without triggering alerts. 

For example: 

• TikTok’s internal password reset API was used to send fake password recovery requests. If the API returned a “Sent Successfully” response, attackers would know the email and be connected to a real account. 
• Instagram’s login API was probed with dummy credentials. If the error response indicated a wrong password, but didn’t mention the user was invalid, it confirmed the username existed. 
• Additional Instagram endpoints were used to check email availability during signup, trigger password resets, or query user lookup APIs. These endpoints weren’t meant for public access, but since they were accessible over the internet, they were fair game for abuse. 

This isn’t really a compromise, per se. It’s a toolset supporting automated and scalable reconnaissance using these platforms’ own APIs to do the heavy lifting. 

The Stakes: Why Validation Matters

By chaining the validation tests available in these tools, attackers could build verified lists of active TikTok and Instagram accounts. By validating credentials, malicious actors dramatically increased their value for resale and provide a reliable foundation for future attacks like credential stuffing or phishing. 

Some of the tools and tests rotated user agents, spoofed device details, and randomized requests to avoid rate limits and detection. This means credentials weren’t added to platforms like Have I Been Pwned, which track exposed credentials, demonstrating a level of sophistication beyond basic bot activity. 

What’s more, because password reuse is still rampant, testing credentials on platforms like Instagram or TikTok allows attackers to identify which ones might work elsewhere, such as on email, online banking, or e-commerce accounts. Essentially, attackers turned these legitimate APIs into reconnaissance tools, helping them map exploitable identities. 

Malicious Automation, Disguised as Normal Behavior

These credential checkers are an example of how malicious automation can leverage legitimate apps to evade detection. For example, steinlurks used multiple functions to target Instagram, cycling through different endpoints, rotating session IDs, and spoofing device details to avoid detection. 

This isn’t just API abuse; it's stealthy, adaptive automation designed to blend in with real user traffic and fly under the radar of traditional defenses. 

Detecting API Abuse: Why Behavior Matters

Because these requests resemble legitimate application requests, conventional defenses like IP blocking, rate limits, or static bot detection aren’t enough. Organizations need behavioral detection, monitoring how APIs are used over time, instead of looking at individual requests. While these testing tools may send requests that are crafted to appear valid, they don’t replicate the applications’ behavior across a whole session. 

This is where Wallarm’s API Abuse Prevention capability comes in. We combine machine learning (ML) and statistical analysis to detect signs of abuse, including: 

• Abnormal request rates or patterns
• Session and IP rotation behaviors
• Low endpoint diversity, indicating bots hitting specific functions repeatedly
• Unusual authentication activity
• Intent-based signals, such as initiating recovery flows without prior login attempts

Wallarm’s detectors establish baselines for specific aspects of application behavior over time, then identify anomalous sessions. The combination of detectors point towards specific malicious behaviors, like account takeover attempts. When the platform detects suspicious activity, it automatically blocks or throttles the source, minimizing the risk of abuse. 

What Security Leaders Should Do

To protect against sophisticated API abuse like credential validation campaigns, security leaders should take the following steps: 

• Audit API Endpoints: Regularly review all exposed APIs, including account recovery, login, and user lookup endpoints. Use API discovery tools to identify undocumented or shadow APIs. 
• Harden Error Responses: Standardize and sanitize error messages to avoid revealing whether an account exists. 
• Monitor Behavior, Not Just Volume: Go beyond rate limits. Use behavioral monitoring to detect unusual patterns, such as repeated access to specific endpoints or inconsistent session activity. 
• Use Real-Time Abuse Prevention: Deploy tools like Wallarm that use ML to detect and block automated attacks based on intent and context, not just volume or headers. 
• Update Models Frequently: Reflect new abuse methods in your threat models and risk assessments. Evolve your defenses as attackers evolve tactics. 
• Limit Data Exposure: Review what data your APIs return and enforce the principle of least privilege. Don’t expose more than you need to. 
• Secure Access Controls: Enforce authentication and authorization for sensitive operations. Ensure endpoints like password resets can’t be accessed anonymously. 

Ultimately, combining smart design, real-time protection, and continuous monitoring will help turn your APIs from soft targets into hardened assets. 

Open APIs Need Intelligent Defenses

APIs are designed to be open and accessible. Unfortunately, that openness creates risk. The TikTok and Instagram credential checker campaigns show how attackers can quietly exploit APIs to validate stolen data without ever tripping an alarm. 

This wasn’t a breach in the traditional sense. It was a quiet, calculated misuse, turning helpful features into tools for exploitation. If you’re not actively monitoring how your APIs are used, not just how often, you’re missing the early signs of abuse. And in today’s increasingly treacherous threat landscape, early detection is everything. Want to find out more about how Wallarm can help protect your organization from evolving API abuse? Schedule a demo.