Xavier Blasco, also known as Lerhan, is a 23-year-old security researcher who identified a significant security flaw in Jazztel's URL shortening system, which allowed unauthorized access to sensitive client contracts. After receiving a suspicious SMS link from Jazztel, Blasco used a tool called Gobuster to brute force potential URL combinations, revealing that Jazztel's system used only five-character shortened URLs, making them vulnerable to exploitation. This flaw enabled him to access contracts containing personal client information such as names, phone numbers, and national identity numbers. Recognizing the potential for widespread exposure, Blasco reported the vulnerability to Orange CERT, Jazztel's parent company, which quickly responded by increasing the URL path length to ten characters, effectively mitigating the risk of brute force attacks. This incident underscores the importance of implementing robust security measures, such as authentication, high-entropy strings, and rate-limiting, when using URL shortening systems for sensitive data.