These login credentials are often meant to give the app access to a single file or service, like a mechanism for an app to display public images from a company’s website or run text through a translation service at a user’s request. But in practice, the researchers found, these same credentials often grant access to all files stored in a cloud service, like company data, database backups, and system control components.
https://www.wired.com/story/mobile-apps-cloud-credentials-exposed/