Probably fine, handled badly
Hanlon's razor: Never attribute to malice that which is adequately explained by stupidity
It's all probably fine, but all it takes it one bad explanation and all trust in a company is destroyed. Even if they now come up with a reasonable explanation, we're not going to believe them. If they'd just come clean up front and said something like "yeah, it's keep alive, we just accidentally sent through some slightly sensitive headers, but we're fixing that" then there's wouldn't be much of a story here (assuming that _is_ what it is and there isn't something malicious going on).