Working for a startup building a device / app that let you answer your landline phone on your mobile, and get notifications of missed calls etc.

While developing I purposely didn't secure the endpoint that controlled push notifications.

I waited for the boss to sign up, went to the DB and stole his token. From time to time i'd send a request telling him he missed a call from his wife or son.

... then kicked back and watched the madness and frustration ensue.