[paulvs]

It's standard for banking apps to go through all sorts of testing including penetration testing before going into production (here in Paraguay that's how we do it).

That this went unnoticed suggests that:

- the API architect (assuming this web site obtained data via an API, not directly from the database) forgot to validate that requested account belonged to the provided cookie

- the web developer didn't think to test this

- there was either no penetration testing (the author mentioned that this feature was likely released in a rush), or it was not properly performed