How Spoutible’s Leaky API Spurted out a Deluge of Personal Data

A public Spoutible API improperly returned extensive user-sensitive fields (emails, IPs, phone numbers, bcrypt password hashes, 2FA secrets and backup codes, and password-reset tokens), allowing attackers to enumerate and scrape ~207,000 user records and facilitating easy account takeover; the issue was disclosed and remediated within hours, but the harvested data persists.