api hacking case study