Tell HN: Fiverr left customer files public and searchable

Hacker News Discussion ↗

Nature and Scale of the Leak

  • Fiverr-hosted files (via Cloudinary) were publicly accessible via unsanitized URLs and indexed by search engines.
  • Leaked content reportedly included US tax forms (1040s), SSNs, passports, IDs, contracts, penetration test reports, health-related documents, internal admin credentials (including for third‑party sites), and confidential business/charity materials.
  • Some users also noted that paid digital products and course PDFs were effectively downloadable for free via search.

Cause and Technical Discussion

  • Files appear to have been served without authentication, relying on “secret” URLs rather than signed or expiring links.
  • Google indexing implies these URLs were linked somewhere crawlable (HTML, sitemaps, or other public sources), though posters debated whether links came from Fiverr pages or user-controlled places (e.g., GitHub).
  • Some commenters argue this design is fundamentally insecure; others say it’s a common but risky UX trade‑off.

Disclosure Timeline and Response

  • OP claims they reported the issue to [email protected] ~40 days earlier, with no response.
  • Fiverr’s security email later replied that OP was only the “second” reporter and denied prior contact. Commenters see strong incentives for Fiverr, not the reporter, to misrepresent this.
  • Cloudinary URLs eventually began returning 404s; some users say Google results 404 but direct URLs from their accounts still work, suggesting partial or search‑only mitigation.
  • Fiverr’s public statement frames this as not a “cyber incident,” claiming files were shared as work samples with buyer consent and removed promptly on request. Several commenters call this misleading, given the sensitivity of the leaked data and lack of authentication.

User Impact, Legal, and Regulatory Concerns

  • Many recommend freezing credit and assume PII may already be scraped.
  • Some users report prior bad experiences with Fiverr and see this as consistent with weak fraud handling and support.
  • Multiple commenters call for regulatory action (FTC, GDPR, heavy fines, even criminal liability for gross negligence); others note breaches usually end in small settlements.

Professionalism, Certification, and Responsibility

  • Large subthread debates licensing/certification for software engineers handling sensitive data vs. focusing accountability on companies and executives.
  • Arguments include:
    • Certification could raise competence and attach personal liability.
    • Counterpoint: may not scale, can be captured by big firms, and security failures often stem from management incentives, not lack of degrees.
  • Consensus that current industry norms tolerate security negligence, with privacy policies and ISO certifications seen as weak protection.