[Something1234]

I feel like that would be a decent option for a surrogate key for public identification of an item and potentially cheaper than generating a uuid or something else. Maybe combine that with a salt and you have alright protection. How did you figure out that it was an md5 of the order number?

[cryptofistMonk]

Presumably order numbers are easily guessable, so the md5 really offers no protection at all in this case and is no better than just using the order number

[exikyut]

And the thing is, even if they can't be guessed, it's only 999,999 calls to try every 6-digit possibility. And you'd only take 11 days if you were nice and paced yourself to 1 req/sec.

[renonce]

Searching for that MD5 would probably be sufficient to find that out.