In about 2014 I noticed that the logged in API request, on Uber's website, included full driver info nested under the ride JSON object. It included the drivers full address, license, phone numbers, etc. They patched it a few months later, but it was the worst data leak I've seen.