They had fun writing this article:

allow an attacker to get a corporate email account with which to conduct a little filet-o-phishing

with no server-side checking, allowing a Hamburglar to order food for free

eventually got through to a security McEngineer who said that they were “too busy” to fix the flaw

Coincidentally, I saw on linkedin last night they were hiring a Security Operations manager. They should get an Appsec person instead to fix those issues.