Avelo Airlines faced a severe security vulnerability in its reservation API, allowing a brute-force attack to potentially expose millions of passenger records. The flaw stemmed from a missing last name verification and inadequate rate limiting, which meant an attacker could guess a 6-character confirmation code without needing the passenger’s last name. The total possible combinations of these codes are about 2.18 billion. With the right setup, an attacker could extract all sensitive personal information in about six hours for under a thousand dollars. The author discovered the vulnerability while changing a flight reservation and noticed unusual network requests. By probing the API, they found that they could access full reservation details using only a valid confirmation code and an authentication cookie. The lack of rate limiting allowed a simple script to generate requests quickly, revealing sensitive data such as full names, dates of birth, government IDs, and even partial payment information. Within minutes, they logged hundreds of valid reservations, exposing threats such as identity theft and unauthorized changes to passenger bookings. After identifying the issue, the author reported it to Avelo Airlines, which responded promptly and took the necessary steps to patch the vulnerability. The incident highlights the importance of basic security measures like requiring multiple factors for data access and implementing rate limiting on sensitive endpoints. Developers are reminded to ensure authentication methods are tightly scoped to user sessions to prevent similar breaches in the future.