How about something anyone with a little technical knowledge about HTTP requests and their automation could have done? Seriously, this “hack” wasn’t incredibly deep.
The most technical portion of the security hole was finding the URL in the first place. And as any security person should tell you, security through obscurity is not security.
