Here’s one by example. Ages ago (2010?) there was a photo sharing website where you could mark photos as private and they wouldn’t be discoverable. Someone looked at the URL of one of their own photos and realized it was whatever.com/photo/123

They then changed the url to /124 and they got someone else’s picture. They kept incrementing the number and realized they could see any photo. The site only protected access if you were accessing the photo through their web interface. The request to download a specific photo was unprotected.

Most vulnerabilities are stupid things like that where a developer assumes certain access patterns and don’t implement checks on access. Other times people discover ways to basically log into the computer that hosts the website and they can just look at the files directly. Those vulnerabilities are generally harder to exploit and are used by more professional hackers with a profit motive since they’re harder to do.