A password link that didn’t expire leads to the discovery of exposed personal information at a payments service.Source