If the Twitter thread is accurate, their API received a list of DB field (and their JSON names to use) from the client. It was hard to guess names of fields, so someone decided to fuzz it a little bit and the API endpoint returned all existing fields in the database.
* The post: https://habr.com/ru/company/lingualeo/blog/515530/
* The corresponding talk: https://pgconf.ru/en/2020/264859
* Twitter thread with data breach: https://twitter.com/SanSYS/status/1299657221085835264
If the Twitter thread is accurate, their API received a list of DB field (and their JSON names to use) from the client. It was hard to guess names of fields, so someone decided to fuzz it a little bit and the API endpoint returned all existing fields in the database.