I have a feeling there's more to it than a clear account number reference in the URL. It was probably a base64 encoded account number or a non-salted hash of the account number (ie. rainbow table-reversible) and the quality assurance analysts probably never questioned this.

Disclaimer: I worked in product development making banking software and simple URL hacking was always a standard test.