Some large applications grant API administrative access by default. API services from applications don t always require authentication by default and in most organizations there is little to no firewalling or access control in place. An unhappy employee with a few free hours at his or her disposal can suck your database dry, since they ll look just like any other B2B type calls. You have three options: limit access to API services using firewalls, access lists or other segmentation technologies; force authentication (preferably bidirectionally); and monitor the data flows around those portions of the network.
Source: https://threatpost.com/danger-open-apis-011810/73388/