There's a bunch of PII, but another issue is a hacker could: refund every payment, start billing random cards, or move money out of their account (this is probably a little more difficult, but they could certainly pay out to the businesses).
Perhaps what they are used more is to start testing cards (we've had this attack happen to our production site on stripe's checkout.js... it'd be much easier if the attackers had our secret key)!
Additionally... if their site is this trivially insecure it won't end here.
Possibly. Stripe supports limited scope API keys called "restricted" that aren't allowed to eg refund payments, though they're not the default. I have no idea how many people are actually using them.
Perhaps what they are used more is to start testing cards (we've had this attack happen to our production site on stripe's checkout.js... it'd be much easier if the attackers had our secret key)!
Additionally... if their site is this trivially insecure it won't end here.