`Fiverr` exposed customer files via public `Cloudinary` URLs

Sensitive client-worker files were served with public Cloudinary links and ended up indexed in Google, including tax forms and other PII. If uploads can contain anything regulated, unsigned asset URLs are a straight production risk, not a convenience tradeoff.

[ KEY POINTS ]

Cloudinary was used like object storage for PDFs/images in messages, but Fiverr chose public URLs over signed or expiring links.
Search results reportedly surfaced hundreds of exposed files, and example queries included tax-document terms such as form 1040.
The report says notice went to security@fiverr.com and 40 days passed without reply, which is its own vendor-risk signal.
The practical takeaway is simple: treat file delivery paths like auth surfaces, especially when uploads may contain PII, contracts, or financial docs.

Originalnews.ycombinator.com/item?id=47769796Read original →

// related

#0001
#0001Infra & SaaS GeekNews16 hours ago
`GitHub` investigates unauthorized access to internal repositories
40radar
Scope is currently limited to internal repositories. No evidence points to customer data outside GitHub repos, so this is a watch item, not an immediate migration trigger.
- Confirmed scope is internal repository access. Customer enterprises and organizations are not reported as affected yet.
- No evidence currently shows impact to customer information stored outside GitHub internal repos. Keep monitoring official updates.
- Practical action is limited: review org audit logs, rotate sensitive tokens if stored carelessly, and avoid panic moves.
Source: news.hada.io/topic?id=29701Read original →
FIG-0011:1
40radar
FIG-0011:1
#0002
#0002Infra & SaaS RevenueCat Blog19 hours ago
`Google Play Billing Library` `9.0`, billing and console updates from I/O 2026
80radar
Google Play Billing LibraryAndroid billing library — Google Play in-app purchase integration
Billing, analytics, protection, and Play Console all moved at once. Android subscription code should be reviewed now, not after a build rejection.
- Play Billing Library 9.0.0 is a major version, so billing code deserves a compatibility pass before the next Android release.
- The update bundle includes AI, Play Console, analytics, and protection changes. Store operations are expanding beyond payment integration.
- RevenueCat coverage matters because it usually translates Google Play billing changes into SDK and migration impact.
- Apps with Android subscriptions should watch RevenueCat and Google timelines together. Late migration turns into release risk.
Source: www.revenuecat.com/blog/engineering/play-billing-v9/Read original →
FIG-0021:1
80radar
FIG-0021:1
#0003
#0003Infra & SaaS r/SaaS19 hours ago
Do not treat `Vercel` or `Railway` as zero-ops production infrastructure
50radar
Managed hosting can still fail at the account and control-plane layer. Back up env vars, rehearse redeploys, and keep an exit path ready.
- A Vercel account with 10 projects reportedly lost env vars, secrets, and configs. Treat dashboard state as data that needs backup.
- Support response took about 2 weeks in the reported incident. Paid convenience does not guarantee incident-speed help.
- Migrating to Railway consumed days, then the control plane became inaccessible. Provider switching is not a disaster plan by itself.
- Direct AWS or GCP adds setup pain, but IaC plus secret backups gives more control over recovery paths.
Source: www.reddit.com/r/SaaS/comments/1ti6v5w/never_host_your_aRead original →
50radar
PHOTO
FIG-0031:1

`Fiverr` exposed customer files via public `Cloudinary` URLs

// related

`GitHub` investigates unauthorized access to internal repositories

`Google Play Billing Library` `9.0`, billing and console updates from I/O 2026

Do not treat `Vercel` or `Railway` as zero-ops production infrastructure