CrumblCookies.com

In early 2022 a security researcher discovered an exposed API on the Crumbl Cookies website that allowed unauthorized access to sensitive customer information. The vulnerability resided in the mobile API endpoint which failed to properly validate user sessions. This flaw enabled the retrieval of private data for millions of customers who had used the platform for cookie deliveries and gift orders. The exposed data included personal identifiers and contact details. While the company patched the vulnerability after notification the incident highlighted significant risks in their mobile infrastructure and data handling practices for their rapidly growing franchise network.