Security Incidents at ServiceNow and SoFi HK: The Risks of API Misconfigurations and Third-Party Vendors

Summary

In June 2026, two major security incidents were disclosed: IT service provider ServiceNow and online broker SoFi Hong Kong both suffered data leaks. While ServiceNow’s leak stemmed from an incorrectly configured API endpoint that allowed unauthenticated access to customer data, SoFi HK’s breach resulted from unauthorized access to a database hosted by a third-party vendor. Both incidents underscore the persistent threat posed by unsecured interfaces and supply chain vulnerabilities.

What happened?

At ServiceNow, a vulnerability in a Scripted REST API endpoint (/api/now/related_list_edit/create) had its requires_authentication parameter incorrectly set to false. This allowed unauthenticated actors to query data directly from customer instance tables. ServiceNow patched the vulnerability on June 5, 2026, and publicly disclosed the incident on June 9, 2026. The issue primarily affected instances on the “Australia” platform release or those with specific custom configurations.

SoFi Hong Kong detected unauthorized access to an external vendor’s database on April 30, 2026. This database contained customer information. The exact number of affected clients and the categories of compromised data remain under investigation. This incident is entirely separate from the U.S. SoFi Technologies breach reported in January 2026.

Why it matters

APIs and third-party vendors are the Achilles’ heels of modern IT infrastructure. A single configuration error in an API can instantly expose sensitive corporate data globally. Similarly, the SoFi HK incident demonstrates that an organization’s security posture is only as strong as its weakest vendor link. For enterprises, both events serve as a critical wake-up call to re-evaluate API security controls and third-party risk management.

Evidence

The ServiceNow vulnerability was detected through anomalous query behavior. Analysis of system logs showed unauthorized requests originating from IP address 51.159.98.241. ServiceNow confirmed the incident and notified affected customers directly via its support portal. SoFi HK officially confirmed the breach and warned customers of potential phishing attempts, confirming that customer data was exfiltrated from the vendor’s database.

Analysis

The ServiceNow leak highlights the dangers of “Default-to-Open” configurations in API design. Developers must enforce strict authentication settings by default (Zero Trust API design). For SoFi HK, the incident underscores the challenges of Third-Party Risk Management (TPRM). Offloading data storage to partners often limits direct oversight over their internal security protocols.

Practical Takeaways

Audit API Configurations: Regularly audit Scripted REST APIs and verify that requires_authentication is set to true for all sensitive resources.
Review Access Control Lists (ACLs): Implement the principle of least privilege at the database table level to prevent unauthorized data extraction even if an API is misconfigured.
Monitor System Logs: Search audit logs for suspicious IP addresses and unusual API request volumes or patterns.
Strengthen Vendor Audits: Tighten security requirements and compliance checks for all third-party vendors handling company or customer data.
Enable 2FA and Reset Passwords: SoFi HK clients should immediately update their passwords and enable two-factor authentication (2FA).

Open Questions

It remains unclear how many ServiceNow customer instances were actively queried and which specific tables were targeted. Similarly, for SoFi HK, the identity of the compromised third-party vendor and the scope of the leaked data have not yet been disclosed.