🕵️ The competitor's spy

Broken object level authorisation

It's Thursday afternoon and you're celebrating your best sales month ever with the team. Your B2B analytics platform just hit €50K MRR and you're preparing for Series A conversations.

Then your phone rings. It's Sarah from MegaCorp, one of your biggest customers.

"Hey, I'm looking at my dashboard and... why can I see TechFlow Industries' usage data and pricing? Isn't that your biggest competitor?"

Your stomach drops. TechFlow Industries is indeed your main competitor, and they signed up for a trial account last week.

Technical Issue: When users navigate to /dashboard/account/12345, your API isn't checking if they actually own account 12345. Any authenticated user can change the URL to access other accounts' data.

What's your immediate first move?

Call your lead developer immediately

Stop everything and get the technical team to investigate

Quickly check if other customers are affected

Log into a few customer accounts to see the scope of the problem

Contact TechFlow to warn them

Professional courtesy - let them know their data might be exposed

Start drafting a customer communication

Get ahead of the story before more customers notice

← Select different scenario