Legoland Germany has leaked the data of thousands of customers via an IDOR vulnerability. Just adjusting a number in a URL was enough to download reservation data dating back to 2015. This includes period of stay, names and addresses of customers who made the reservation for Legoland, as well as the people who were with them. A guest discovered the data breach in a childishly simple way. He could view his own reservation via a url. By adjusting the number, the guest saw another family’s reservation. All reservations were ascending and easy to download as a PDF document. The number of reservations continued until the number 604104. In a response to Heise Online, Legoland said it introduced a new reservation system six months ago that caused the data breach. The system offers guests an overview of historical reservation data within the new customer portal. Since the switch to the new system, customer data from the past seven years has been visible. The system has now been switched off and the data breach has been reported to the privacy supervisor. An extensive investigation into the data breach has also been announced. IDOR stands for Insecure direct object references. Vulnerabilities like this occur when a web application or API uses an identifier to query an object in a database without authentication or other form of access control. Despite the simplicity of IDOR vulnerabilities, they are still common.