[codystebbins]

Except in this case, as the parent mentions, it's not an excuse. Why would you secure a type-ahead API that only has access to employee testing data?

It is by design that if someone finds the API they will be able to use it without authentication and nothing is required on behalf of the "hacker" to access it. Are all users of software hackers under this definition?

I do not believe they are lying in their statement that it was temporarily open and intended to be closed, it makes sense to me why that effort would be put off for test data.