Payment API Vulnerabilities Exposed “Millions” of Users