If you rely on your application layer to enforce data privacy instead of enforcing it in your storage layer its just a matter of time until you have an issue like this.
It says a lot about the security of their api and development culture that they are even struggling with something like this. This should be caught in the first architecture review session.
replies(5):