If you’re not requiring any level of authorisation to enable someone to read a post (ie, this post has been removed, you can’t see it any more or this is a private post, you must be a friend of its author to see it), then you’re just relying on people not being about to guess it’s ID and grab it from the API. It’s a poor version of security through obscurity. Could have easily been rectified by using UUIDs instead of sequential integers (which is what I’m _guessing_ they used)
They used sequential integer, which means it wasn't even security through obscurity. There wasn't any form of security. Not even a post it with "please don't hack me".
With a browser and enough time at hand even my grandfather could have dumped their whole DB.
If by "dumped their whole DB" you mean "a snapshot of their public pages", then yes. Otherwise, no. This was an ArchiveTeam-affiliated scraping operation that relied on slurping down as much public-facing data as quickly as possible, just like their other efforts.
> When news of donk_enby's archival efforts broke, several viral tweets, Reddit posts, and Facebook posts claimed that she had captured private information, scans of drivers licenses and IDs, and other highly sensitive information. She said those posts are “not at all” accurate.¶ “Everything we grabbed was publicly available on the web, we just made a permanent public snapshot of it,” donk_enby told me.