About a year ago, a Norwegian agency notified the maker of certain GPS watches (used so parents could keep track of their kids) had some major security issues. These were fixed, but apparently little to no follow-up testing was done. When a private pen-testing company took another look recently, they discovered some mind-boggling holes.
When you logged into the web portal used to track a watch's owner, there was a field called User[Grade]. This field was user-modifiable. By changing it from 1 to 0, the researchers had full admin access to the entire portal. This included the ability to view and modify user information for everyone with one of these watches.
The security folks estimate that's about 35,000 users.
The disclosure process didn't go much better. They contacted the manufacturer and told them they'd go public in a month (not unusual, especially with the amount of data involved). The company asked for longer due to the Lunar New Year holiday, but this was refused.
The initial fix was literally to make this part of the portal for the security researchers return a 502, rather than address it anywhere else. Once they were called on this, the company actually fixed the issue.