Just hacked a VC-funded Voice AI company. I now have their prod data. I now have access to all: > medical information of customers > call recordings, phone numbers, contact names > email addresses > all SYSTEM_PROMPT for all agents they are running > API keys and Secrets > org data > OAuth Provider IDs > all webhook_events Mostly, I did IDOR and BAC attacks to get the data. I was able to retrieve all table columns and other access vulnerabilities. Once I had that, it was very easy to bypass and get all the data.