If it used one of the standard system APIs for looking up user accounts (e.g. getpwnam(3)), there's no way it can happen.
This is incredibly bad engineering, on level of a SQL injection, in 21st century. Something a highschool student experimenting with scripting could come up with, but not a supposedly professional software company.
Agreed.