An unauthenticated API call vulnerability in DPD Groups package tracking system could have been exploited to access the personally identifiable details of its clients. Researchers at Pen Test Partners explored the system and found that they could try out parcel codes on API calls and get back OpenStreetMap addresses with the recipient’s position on the map. The way this API attack worked is random, as one cannot guess parcel numbers for given identities, but it would still be useful in the hands of phishing actors.”]

