After someone alerted Hunt to the vulnerability, he discovered that hackers could exploit Spoutible's API to obtain a user's name, username, and bio, along with their email, IP address, and phone number.
And, to top it all off, Hunt found that the API returned the 2FA code used to sign in to someone's account, as well as the reset tokens generated to help a user change a forgotten password. This could let hackers easily gain access to and hijack someone's account without alerting them to the breach.
[
add
]
[
|
|
...
]