Bundle has all user information public here: lankybox02 - Replit
This is really bad. Firstly all tokens have to be hashed to be kept secure, which is very bad for performance, and yet all the hashes are still public. Secondly, having them hashed doesn’t mean they can’t be cracked, someone could run a script to crack these passwords pretty quickly.
This is basically a data breach, this information should not be public.
Link seemed to have broke: https://replit.com/@lankybox02/bundle-api?v=1#auth.json