In case anyone wonders how the Spoutible shitshow could happen, I'm pretty sure the answer involves "the framework".
Nobody is willing (or should) carve out records from a DB by hand these days, ORM's do that boring work for us. It also makes sense to just return a User object (magically serialized to JSON) when someone requests user information. But since the DB record corresponding to the User object also includes all kinds of sensitive data...
Of course, this also means, that no one - not even the developers - cared to glance at the HTTP traffic generated by the API. They definitely should have, but today's webdev happens at way higher abstraction levels, and this is part of the price we pay for the convenience.
https://www.troyhunt.com/how-spoutibles-leaky-api-spurted-out-a-deluge-of-personal-data/