A server-side vulnerability found in the save-for-later service would have allowed attackers to gain access to all user data and even populate their reading lists with malicious links.