The ACMA alleges Optus had at least three chances to recognise that the vulnerable access control also affected the API endpoint as well, prior to it being exploited.