HN

Comments (62)

• pesus
  Wow, the other comments weren't exaggerating. This is really bad. If my tax returns or other data were part of this, I might consider legal action.I wonder if somewhere like Wired/Ars Technica/404media might pick this up?
• Menu

  applfanboysbgon
  Software development jobs are too accessible. Jobs with access to/control over millions of people's data should require some kind of genuine software engineering certification, and there should be business-cratering fines for something as egregious as completely ignoring security reports. It is ridiculous how we've completely normalised leaks like this on a weekly or almost-daily basis.
• Menu

  gregsadetsky
  I wrote to security@fiverr.com and they just replied:"You’re the second person to flag this issue to usPlease note that our records show no contact with Fiverr security regarding this matter ~40 days ago unlike the poster claims. We are currently working to resolve the situation"
• mtmail
  You followed the correct reporting instructions.https://www.fiverr.com/.well-known/security.txt only has "Contact: security@fiverr.com" and in their help pages they say "Fiverr operates a Bug Bounty program in collaboration with BugCrowd. If you discover a vulnerability, please reach out to security@fiverr.com to receive information about how to participate in our program."
• HeliumHydride
  It seems that someone sent a DMCA complaint months ago relating to this: https://lumendatabase.org/notices/53130362
• qingcharles
  That's wild. Thousands of SSNs in there. Also a lot of Fiverr folks selling digital products and all their PDF courses are being returned for free in the search results.
• wxw
  Wow, surprised this isn't blowing up more. Leaking form 1040s is egregious, let alone getting them indexed by Google...
• Menu

  janoelze
  really bad stuff in the results. very easy to find API tokens, penetration test reports, confidental PDFs, internal APIs. Fiverr needs to immediately block all static asset access until this is resolved. business continuity should not be a concern here.
• Menu

  janoelze
  it's been 5 hours. even manual action to take down the most sensitive files should have completed about 3 hours ago at most. what is happening.
• rapfaria
  How big of a client is Fiverr? Surely Cloudinary would have alerts for an enterprise client leaking stuff?Just insane
• Menu

  johnmlussier
  Probably not in scope but maybe https://bugcrowd.com/engagements/cloudinary will care?This is bad.
• psygn89
  I guess they used Fiverr for security
• cleaning
  Wow this is really really bad. Insane this hasn't been fixed yet, media outlets are going to have a fun time with this story
• anon
  undefined
• Menu

  impish9208
  This is crazy! So many tax and other financial forms out in the open. But the most interesting file I’ve seen so far seems to be a book draft titled “HOOD NIGGA AFFIRMATIONS: A Collection of Affirming Anecdotes for Hood Niggas Everywhere”. I made it to page 27 out of 63.
• mraza007
  Woah that's brutal all the important information is wild in public
• fortran77
  Wow! the first search result:https://fiverr-res.cloudinary.com/image/upload/f_pdf,q_auto/...
• anon
  undefined
• sergiotapia
  This is really bad, just straight up people's income, SSN and worse just right there in the search results on Brave Search even.
• smashah
  They bought and.co and then dropped it. strange company
• popalchemist
  Burn it to the ground.
• BoredPositron
  Just by scrolling over it that's really rough.
• anon
  undefined
• yieldcrv
  this is a bad leak, appreciate the attempts at disclosure before this
• Menu

  iwontberude
  Loooool what a mess
• Menu

  walletdrainer
  > Moreover, it seems like they may be serving public HTML somewhere that links to these files. As a result, hundreds are in Google search results, many containing PIIThis is not how Google works.