I've seen the "Express <Form with Personal Data>" vuln before, but with people's SSNs, DOBs, and bank account numbers, plus sequential numeric user IDs instead of emails. It's fixed now, thankfully, but, uh, yeah.