Carlsberg… probably not the best cybersecurity in the world

A researcher discovered that Carlsberg’s exhibition wristbands used low-entropy IDs that could be brute-forced to access visitors’ media and full names, exposing PII; after reporting via Zerocopter and receiving minimal engagement and an ineffective rate-limiting mitigation, the issue remained exploitable, prompting public disclosure over 150 days later.