What can we learn from this?

The lesson here is that security must be built into the design of APIs and not just bolted on as a secondary feature. The fact that the information was exposed through a private API suggests that developers did not fully understand how their code worked or what data they were actually exposing
https://t.co/EJ39sk20Ir