[lubesGordi]

'Heapdump' is a term I learned from debugging android applications 15 years ago. Its just a snapshot of the java processes memory. Its going to contain plaintext. Now why those heaps are available at an open http endpoint is another matter, and is the interesting point. I'm guessing the client code had that endpoint hardcoded somewhere or they saw a request to it. I'm not seeing how they could know anything about the back end or how the messages are stored from this. Did I miss something?

[trallnag]

The observability endpoints have defaults in Sprint Boot and are usually not customized. So if you know the path to the API, you also know the path to the heap dump endpoint

[JohnMakin]

It's just /actuator/heapdump and usually isn't hard to find. It's off by default in more modern versions but used to be default enabled.