Fiverr users' data have been found leaking on Google Search: invoices, tax return forms, driver’s licenses, credentials, and many other sensitive documents. Fiverr denies allegations of a cybersecurity incident.
A publicly exposed instance of Cloudinary, likely belonging to Fiverr, is leaking private user documents. This platform is used for uploading and storing files, including PDFs, images, and videos.
The news was uncovered and shared by an anonymous security researcher, who claims that they disclosed the issue over 40 days ago, but the company would not reply.
“Fiverr (gig work/task platform, competitor to Upwork) uses a service called Cloudinary to process PDF/images in messaging, including work products from the worker to client,” the user under the alias morpheuskafka posted on Hacker News.
The researcher notes that Cloudinary effectively acts like S3 (storage service), serving assets directly to the web client.
“Like S3, it has support for signed/expiring URLs. However, Fiverr opted to use public URLs, not signed ones, for sensitive client-worker communication.”
What’s even worse, many of the documents have already been indexed by Google. Cybernews can confirm that search results from affected web servers return tax return forms, driver licenses, invoices, and other sensitive information with personally identifiable information (PII).
The gig worker deliverables range from pitches and marketing materials to academic work, including graduate theses. Some users report finding internal API credentials, administrator passwords, access to paid courses or digital products, penetration test reports, etc.
“It seems like they may be serving public HTML somewhere that links to these files,” the anonymous researcher speculates.
Update: Fiverr denies allegations of a cybersecurity incident on X.
“To be clear, this is not a cyber incident. Fiverr does not proactively expose users’ private information. The content in question was shared by users in the normal course of marketplace activity to showcase work samples, under agreements and approvals between buyers and sellers. This type of content requires the buyer’s consent before it can be uploaded. As always, any request to remove content is handled promptly by our team,” Fiverr said
Users on the forum are already sharing links to various documents. Among them, ironically, is Fiverr’s own ISO 27001 certification for information security excellence, which expired four months ago.
“Extremely bad stuff here. Can’t believe it's been 7 hours now and you can still pull up people’s complete prepared tax returns right from a Google search. This should be a business-ending breach of trust and good practices, but I worry there's probably a lack of regulatory might or will to make anything happen,” one of the users reacted on the Silicon Valley’s premier forum.
Cybernews has reached out to Fiverr for a comment and will update the story with its response.
Fiverr denies allegations of a cybersecurity incident on X.
“To be clear, this is not a cyber incident. Fiverr does not proactively expose users’ private information. The content in question was shared by users in the normal course of marketplace activity to showcase work samples, under agreements and approvals between buyers and sellers. This type of content requires the buyer’s consent before it can be uploaded. As always, any request to remove content is handled promptly by our team,” Fiverr said.
Researcher claims that the company didn’t react to disclosure
The user who unveiled the leaking instance claims that they attempted to responsibly disclose the cybersecurity issue weeks ago.
“Forty days have passed since this was notified to the designated vulnerability email ([email protected]). The security team did not reply. Therefore, this is being made public as it doesn’t seem eligible for CVE/CERT processing as it is not really a code vulnerability, and I don't know anyone else who would care about it,” morpheuskafka posted.
The researcher further argues that Fiverr itself is actively buying Google Ads for tax-filing keywords like “form 1234 filing,” directing clients to its platform. Without adequate security, the company might be violating the GLBA (Gramm-Leach-Bliley Act) and the FTC Safeguards Rule, which require tax preparers to protect client financial data.
The HN thread calling for immediate action was published 12 hours ago, but the data still remains accessible.
Major mistake
The Cybernews research team analyzed the leak and confirmed that the claims appear valid.
“This is a major security lapse by Fiverr, due to the links being publicly accessible and indexable, a lot of resources are already indexed by Google. Essentially all files that were shared between service buyers and sellers, including personal identity documents, sensitive contracts, passwords, and API keys shared with contractors, finished and work-in-progress deliverables,” said Aras Nazarovas, information security researcher at Cybernews.
While the individual files are exposed and publicly accessible, external actors can't simply list all of the affected files – it requires the account’s API key, This makes the impact of the cybersecurity incident limited to what the search engines have indexed so far.
Still, the researcher warns anyone who used Fiverr to assume that their files, shared in private conversations, were potentially leaked and publicly accessible, attackers might already be attempting to exploit them.
“It is recommended to immediately rotate any credentials shared via Fiverr, monitor for potential signs of identity theft and impersonation attempts,” Nazarovas said.
The researcher is calling on Fiverr to immediately enable proper access controls on private files, ensuring that only the right users can access files they shared or files shared with them. The company should audit which files have been indexed by search engines and notify affected users.
Updated on April 15th [01:45 p.m. GMT] with a statement from Fiverr.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked