April 14, 2026
Public by design, privacy by vibes
Tell HN: Fiverr left customer files public and searchable
Fiverr blasted as users say tax forms were left wide open—'How is this not viral?'
TLDR: A whistleblower says Fiverr left client documents—including tax forms—publicly accessible and searchable, and claims the company ignored a 40‑day security warning. Commenters are furious, calling it egregious and demanding accountability, while some joke that Fiverr went “public by default” with people’s private data—raising serious consumer‑privacy concerns.
Hacker News lit up after a user claimed Fiverr left client files—yes, including U.S. tax forms—publicly accessible and even indexed by Google. The poster says Fiverr used a media service to store and serve files but chose public links instead of locked, expiring ones. Translation: sensitive documents showed up in search. The kicker? The reporter says they followed the rules, emailed the official security address listed in Fiverr’s security.txt, waited 40 days… and got crickets.
Cue the comments. One user gave the thumbs up for “doing it by the book,” while another practically shouted, “Leaking 1040s is egregious.” A third summed up the vibe with, “brutal… all the important information is wild in public.” Others wondered why this isn’t all over the news, calling the whole thing “really rough.” And then came the scorched‑earth take: “Burn it to the ground,” capturing the collective outrage in five explosive words.
There’s extra spice because the original post claims Fiverr buys ads for tax‑prep keywords while not securing the final files—a direct clash with U.S. rules that say financial info must be protected (think “protect people’s bank and tax data, or else”). The meme-ification started fast: “Public by default, privacy by vibes.”
Key Points
- •Fiverr used Cloudinary to process and serve files in its messaging system, with assets accessible via public URLs rather than signed/expiring links.
- •The report says some public asset links were referenced from publicly served HTML, enabling Google indexing of sensitive files.
- •Hundreds of files reportedly appear in Google search results (example: “site:fiverr-res.cloudinary.com form 1040”), with many containing PII.
- •The author claims Fiverr buys Google Ads for sensitive document services while not securing resulting work products, potentially conflicting with regulations.
- •According to the author, Fiverr was notified via security@fiverr.com 40 days prior with no response and the issue was disclosed publicly, outside CVE/CERT processes.