Ibrahim Raafat found a vulnerability on suggestions.yahoo.com. He stated that anyone can delete millions of records stored in the database with Direct Object Reference Vulnerability.
Ibrahim said that he found the bug by adding a comment on someone’s post on Yahoo! Suggestions and checking how the request works when deleting his comments. He was able to delete others’ comments, and also add comments using other account.
Yahoo! patched the bug within two days and Ibrahim received a bounty for reporting the bug.
More information about the bug can be found on his blog.