The researcher found that anyone who sent an HTTP POST request without authentication to join.nordvpn.com could see users’ email addresses, payment method and URL, the product they purchased, the amount they paid for it and even the currency used in the transaction.