https://news.ycombinator.com/item?id=47769796
Article
-
Fiverr exposed customer files (tax returns, SSNs, API tokens, PDFs) publicly searchable via Google
-
Vulnerability was reported ~40 days prior with no response; files still accessible hours after disclosure
-
Includes pentest reports, confidential documents, digital product files from sellers
Discussion
-
Commenters confirmed finding complete Form 1040s, SSNs, API tokens, penetration test reports in results
-
Fiverr deleted a freelancer’s forum post warning others, calling it a community rules violation
-
Fiverr’s security team claimed no prior contact despite poster’s report 40 days earlier
-
Calls for regulatory action, legal liability, and immediate static asset takedown
Discuss on HN