Using their authentication mechanism, a user should only get an access token with the right combination of client id and client secret.
For at least 7 hours, anyone could get an access token for any client id, without entering the right client secret. With that access token they could see a lot of information for any account.
For at least 7 hours, anyone could get an access token for any client id, without entering the right client secret. With that access token they could see a lot of information for any account.