I saw a similar issue with a company that sold tickets to events several years ago. They sent me an email with a link to my e-ticket. The URL had a sequential id, and there was no auth/verification that I was the one who purchased it.

So, I took a look at the person who ordered before me, and was able to view their name/address, and could have printed their tickets to the event!