“Professional programmers” make mistakes all the time, because there is far more need for people who can code even fairly badly than there are people who are good at it. Companies will sometimes spend tens of thousands of dollars in sourcing costs to find one mediocre software engineer.

There are certainly common approaches. For example, it’s a very bad idea to store users’ passwords in a database, but tons of shoddily-written websites do. Many websites also have much more information exposed than you probably think, and hackers will poke at that information to try to find places where it exposes something it shouldn’t.

For programs on one’s own computer, one can use a program that lets them just look at the computer’s actual memory and watch when certain values change. If you pick up a health potion and the value at memory address 0x4a89b92d changes, well, that’s probably where the game is storing your number of health potions. So you change the value at 0x4a89b92d to 99999999 and see if you get a bunch of potions.

This is just a very basic summary. Finding weaknesses like this is a whole subfield of programming and engineering that tends to attract extremely smart and extremely technical people. There’s a ton of security talks on YouTube that are relatively accessible and pretty interesting, if you want to know more!