It’s a fairly run of the mill task for developers to access an API. Send a token, check you have permission to do so, and process the data sent back in the request once you have been authenticated.

It’s quick and secure and powers the internet.

No problem.

Like I said, you could do it that way if you were semi-competent. But there is an alternative method.

As a ‘senior developer’ you could alternatively skip the security and authentication and just send the users email and password to the server as plain fucking text in an GET request.

Yeah that works.

And to make this clusterfuck even better, could could error_log() the request, again not worrying about encryption or obfuscation. You could also put that file in a directory so anyone can type /log to the end of the URL to see the fucking file and see everyone’s email and password.

But only a fucking retard would do something that stupid.

Not saying it happened, nor did I spend three fucking hours changing all my fucking passwords and sign back in on desktop, laptop and two mobile phones.

No, I dreamed all this.