When you use the knowledge base assistant, then the exposed api key can be used to retrieve all information regarding the authors

e.g.

curl --request GET "https://apihub.document360.io/v2/teams" --header "api_token: OBBt3Wo9S/fCC3ioJTusteo558ZVbkSNwHU2wb7p95oLG7olxF2OhSkOLk0Ra1ZxSxJeQCegEVtrcC/I8byhTJUqu4EQf0rl8zPOzufIFt6ngqeFTfi9aHLj0b/YIW145z+Vkqvt0LnrmVCFQ7PSFg=="

Response will return the user_id, first_name, last_name, email_id, profile_logo_url, last_login, portal_role etc. of all users in document360

We seen this as a heavy security breach, which needs to be fixed