They didn't assume nobody would guess the URL.
They did take active steps to ensure the data was only available at the correct time.
But they didn't check that their access control was working, and it wasn't.
They didn't assume nobody would guess the URL.
They did take active steps to ensure the data was only available at the correct time.
But they didn't check that their access control was working, and it wasn't.