In short: it was a fairly straightforward modification of the usual API flow, to omit the secondary API call that requests consent, then request a JSON location payload instead of an XML payload. For whatever reason, that bypassed the usual consent check and just dumped the phone's location.
(Submitted url was https://krebsonsecurity.com/2018/05/tracking-firm-locationsm...)
The first thing that comes to mind is if this is on a well known framework, I want to know because those security defaults are awful.
However if these guys rolled their own API auth system and messed up something this simple, or deliberately modified framework defaults... I can't even imagine what conversations happened at their offices this morning.
To me that sounds like you stumbled upon an unauthenticated development/debug mode.