Given their complex appearance, some would think that exploiting IDOR based on MongoDB's ObjectID would be difficult. This is not the case as the ObjectID is not random

Why a generic message to prevent user enumeration is an acceptable user experience degradation to improve security