Not sure if you are aware, but users can be queried including their hashed passwords and private information by visiting the following REST endpoint: https://immoperium.herokuapp.com/v1/users
You might consider securing it via API Keys or other means, limiting the shown information or remove it entirely.