Although I agree with Outside the Box that this is basic web development best practices, I am not concerned that anyone’s financial future is in peril due to what they have saved in cFIREsim.
It’s more that the service doesn’t tell you that it’s insecure, which goes against user expectation. I believe it’s a web developer’s responsibility to clearly communicate to users who can access any information that they store on the service, and how it can be used. This is why privacy policies are a thing.
A more realistic consequence of this vulnerability is that someone may have put a lot of work into a bunch of simulations, then log in one day and find that they’re all gone. Perhaps there are database backups, but perhaps not. That could possibly upset someone if they lost a lot of time, or if they were relying on this service to plan for FIRE.
The problem isn’t that this is Equifax-breach-level security issues, but more that the service isn’t being honest with its users. I agree with you, sol, that a warning at the top of the page, and no other changes, would probably be fine.
With that said, a service that does not have these vulnerabilities is obviously preferable, especially considering how straightforward it is to implement basic security.