It’s one of the silliest mistakes you can make. But who knows. When you get busy, things can happen.

A few days ago, I was on this page — a social platform, with 20M users. Wandering on a user profile, then I opened his followers page. Must have been switching between debugging my website, out of curiosity, I had a look at a XHR data request on their website.

And baam, the request contains a list of users, with personal information. Also the access tokens from their social platform accounts.

With those access tokens, hackers use them to gain control over social accounts. I guess a large portion of those tokens is still valid. Besides, personal data with contact are valuable. Many companies want them for cold calls/emails, risking users’ privacy.

For 20 millions users, this issue is serious.

There is not a good explanation for this mistake. The tokens doesn’t look fake. Maybe, their team built the API for convenience, without being careful enough.

Prevent this mistake as a developer

You can prevent this mistake by following Principle of least privilege. Which limiting permission for users to perform any action, only allow what they have to, no more. And besides:

• Store sensitive info in a different table
• Build API with single purpose (i.e don't use 1 endpoint to get user info, and their sensitive data)
• Always validate if request has the right permission Especially, double check if you have a page that list users (i.e list of followers). And prevent hackers craw your APIs (i.e using rate-limit, IP blacklist)

Some afterthought.

1. Using social platform for authentication (signup, login) is still dangerous. Even though the platform itself is secured, a few apps you connected to are secured. But if one app leaks users’ access token, that’s it.
2. Maybe passwordless authorization (login with a magic-link) is a near and brighter future. Unless you use the same password everywhere, and one of your online shopping being hacked. Or worst, that online shopping doesn’t securely store passwords.
3. Sometimes rushing to deliver a project can cause mistake like this :P. Also make it easier for anyone to report incident like this.

P/s: I've contacted the team to fix the issue mentioned above. A friendly reminder to check double your API with sensitive data. We’re all busy, mistakes can happen.