Where I used to work, I saw XOR used with a looping, hardcoded (in the code) key reused for infinite cyphertexts and shared between all users, with an extremely easy-to-use/access oracle where the user could encrypt messages of any length. I alerted everybody I possibly could about how insecure it was. I provided working examples of exploits and explained how braindead-easy it would be for the average bored teenager to reverse engineer and obtain the key and along with it the ability to decrypt all the messages and craft their own valid messages in like an afternoon. Nobody considered it an issue. I guess because unless people could intercept/mitm messages between other users and us, the impact was “only” the ability to game the system to the tune of 5% of revenue, which I guess they didn’t consider significant… (But developers kept putting more things in those “encrypted” (I use the term extremely loosely) messages and treated those contents as confidential and authentic.)

Oh, and the key only had four bits of entropy per byte. (The bytes of the key were each ASCII characters in the set “0123456789abcdef”.) The key also wasn’t ridiculously long or anything.

Also, as tech companies go, it kindof had its shit together. It wasn’t one of those brick-and-mortor companies just dipping its toe into e-commerce run by octogenarians who thought the internet was a fad. It was a tech company to its bones, using modern technologies and development practices. Except for this complete disregard for security.