I had a feeling some would get hung up on the "passport" thing. The "private" intimate chats were leaked, too. And full name, city, university, phone numbers, sexual preferences, and geolocation. And photographs, obviously. I assume the passport/ID stuff was for "verified accounts", but again, none of that crap should be saved in a database - a boolean default false "VERIFIED" in the user table should suffice.
The disclosure didn't show every API endpoint, just a few dealing with auth and profiles. They also mentioned only a few PII, you can tell because there were multiple screenshots spread throughout the post. I'm harping on passport for the reason you specify, too; but mostly that information shouldn't be stored...
The disclosure didn't show every API endpoint, just a few dealing with auth and profiles. They also mentioned only a few PII, you can tell because there were multiple screenshots spread throughout the post. I'm harping on passport for the reason you specify, too; but mostly that information shouldn't be stored...