(no title)

What really gets me is the legal threat angle. Incremental user IDs + shared default password isn't even a sophisticated attack to discover. A curious user would stumble onto this by accident. Responding to that with criminal liability threats under Maltese computer misuse law is exactly the kind of thing that discourages researchers from reporting anything at all, which means the next person who finds it might not be so well-intentioned.

The fact that minors' data was exposed makes the GDPR Article 34 notification question especially pointed. Would love to know if the Maltese DPA ever followed up on this.