I'm not at all confident we don't have any security issues, that would be an impossible statement to make no matter what company I work for. I am confident we don't have issues like baking API secrets into our shipped javascript, or just not doing auth at all and not validating account registration endpoints. Again, these are literally 101 level errors that any level of testing should have caught. PCI compliance isn't what I would call the highest bar for software security, and this stuff would fail an audit (at least the ones I've been involved in, I'm sure there are people who rubber stamp them). So while I can't say we don't have security vulnerabilities, I am very confident we don't have the types of vulnerabilities that anyone with even a passing knowledge of pentesting would be looking for.

▲

dzhiurgis a day ago | parent [-]

So you must be confident to post url’s you are working on?

IMO what op posted is hilarious but really nothing burger. Access to some analytics, some training material and list of filenames is worthless. Yes pretty amateur mistakes but ultimately has 0 impact.

	▲	phil-martin a day ago \| parent [-]
		The major issue was the trajectory of impact, particularly when the ClickUp access was attained. If the person doing it was malicious, participating on that platform could have quickly led to some social engineering that led to accessing private business critical intellectual property, staff names, contact information, and accessing more systems.”” Definitely not a nothing burger.