I once worked in a small company as a coder. We had this system where we had admin login with OTP (one time password), all in-house and securely designed. Every now and then when I would login with my own user, just as I pressed enter after inserting the OTP from my phone and the page started loading, I wondered if I had made a typo. However, the login worked, so I figured I must have been wrong.

Then one day when I got to work and had my morning coffee I signed into the system same as usual. Once again, a bit groggy in the morning, I typed the OTP and pressed enter, but this time I was sure I made a typo.

The login worked.

I blinked. I was sure I mistyped the code. I tried logging out and back in again, inserting wrong username, then wrong password. The login didn't work. Then I tried inserting an invalid OTP.

Logged in.

Sipping my coffee, I finally looked at the authentication code. There on the server, we did everything correctly with the username and password, everythinhg was proper and secure and sanitized. But then I found the OTP handling:

```
function checkOTP(number) {
   ...
   //return validate(number);
   return true;
}
```

The OTP code was commented out and always returned true. Now, I'm not one to get anxious about many things, but this was the point where my heartbeat increased a fair bit. The system involved the kind of data you don't want others to access, so my first instinct was to wonder if we'd been hacked, but found no signs of unauthorized entry to the server.

I went to check the git logs, but nothing immediately apparent had been done with the OTP code recently. With git blame I discovered this change was made by a colleague in a large feature that dealt with something completely different. It was committed & released six months earlier.

I fixed the OTP check, did a panic hotfix, and as my colleague arrived, asked him about the commit. His face paled. He explained he disabled OTP locally on his dev machine to make working with his test data easier, and must have accidentally committed his dev code to master.

It should be noted that in this company we didn't have formalized review processes, and since every repository typically had only one developer, this meant most of us worked by direct pushes to master. After this fiasco, I asked if we perhaps should consider pull requests and review processes, but this was declined as those are more of a thing of larger teams.

Many lessons were learned from this experience. For me personally this cemented my belief in CI testing.