Fiverr, the global marketplace for freelance services, is facing scrutiny after security researchers claimed that sensitive user documents—including tax forms and government IDs—were exposed via a third-party storage service. However, the company has moved quickly to push back against these claims, as Fiverr denies report of data leak assertions, characterizing the exposed files as user-shared content rather than a systemic security breach.
The controversy began when a security researcher, using the alias “morpheuskafka,” flagged a potential vulnerability on Hacker News. The researcher identified a publicly accessible instance of Cloudinary, a cloud-based image and video management service, that appeared to be linked to Fiverr. According to the report, the exposure allowed for the discovery of invoices, tax return forms, driver’s licenses, and various credentials belonging to Fiverr users.
The core of the dispute lies in how the data was accessed. While the files were not obtained through a traditional “hack” or unauthorized entry into Fiverr’s primary servers, researchers found that many of these documents had already been indexed by Google. This means that anyone using specific search queries could potentially uncover personally identifiable information (PII) without needing to breach any security walls.
The Technical Gap: Public vs. Signed URLs
The vulnerability centers on the implementation of Cloudinary’s storage capabilities. Cloudinary offers “signed URLs,” which are temporary, encrypted links that expire after a set period, ensuring that only authorized users can view a file. However, reports indicate that Fiverr utilized public URLs for communication between clients and freelancers.
Because these URLs were public and not protected by expiration timers or strict access controls, they became “crawlable” by search engine bots. Once Google’s indexers found these links, the documents were effectively archived in public search results.
Aras Nazarovas, an information security researcher at Cybernews, described the situation as a significant failure in oversight. “What we have is a major security lapse by Fiverr, due to the links being publicly accessible and indexable, a lot of resources are already being indexed by Google,” Nazarovas stated. He noted that the exposed data spanned everything from sensitive contracts and API keys to work-in-progress deliverables and personal identity documents.
Despite the accessibility of individual files, there is a technical limit to the exposure. Listing the entirety of the storage account would require an account-specific API key. The primary risk is limited to the specific files that search engines have already discovered and indexed.
Fiverr’s Rebuttal: “Not a Cyber Incident”
Fiverr has been adamant that the situation does not constitute a “leak” or a “cyber incident” in the traditional sense. The company argues that the documents in question were uploaded by users themselves as part of the standard marketplace workflow, specifically to showcase portfolios or provide necessary documentation for a project.
In a public response on X, the company clarified its position, stating: “To be clear, this is not a cyber incident. Fiverr does not proactively expose users’ private information. The content in question was shared by users in the normal course of marketplace activity to showcase function samples, under agreements and approvals between buyers and sellers. This type of content requires the buyer’s consent before it can be uploaded. As always, any request to remove content is handled promptly by our team.”
This defense shifts the responsibility toward the users who uploaded the documents, suggesting that the exposure was a result of user choice and consent rather than a failure of Fiverr’s infrastructure. However, this explanation raises questions for security experts regarding why sensitive documents—such as tax returns or driver’s licenses—would be categorized as “work samples” or shared via public-facing URLs.
Comparing the Perspectives
The disconnect between the security community and the company highlights a common tension in the gig economy: the balance between seamless collaboration and rigorous data privacy.
| Feature | Security Researcher View | Fiverr Official Position |
|---|---|---|
| Nature of Event | Major security lapse/data leak | Normal marketplace activity |
| Cause | Use of public instead of signed URLs | User-initiated uploads for samples |
| Risk Level | High (PII indexed by Google) | Limited (Requires buyer consent) |
| Classification | Cybersecurity vulnerability | Not a cyber incident |
What This Means for Gig Workers and Clients
For the millions of freelancers and businesses using the platform, this incident serves as a reminder of the risks associated with sharing sensitive documentation over third-party marketplaces. In the pursuit of efficiency, users often upload “Grasp Your Customer” (KYC) documents or API keys directly into chat windows or project folders, assuming the platform’s internal security is absolute.
When PII is indexed by search engines, the risk is not just a one-time leak but a permanent digital footprint. Once a driver’s license or tax ID is cached by a search engine, it can be harvested by malicious actors for identity theft or phishing attacks, even if the original file is later deleted from the server.
Users are encouraged to review the files they have shared on the platform and, where possible, use encrypted transfer methods for highly sensitive credentials or identity documents. Those concerned about their data should reach out to Fiverr’s support team to request the removal of any potentially exposed content.
As of the latest reports, Cloudinary has not issued a public statement regarding the specific configuration used by Fiverr. The next critical checkpoint will be whether independent security audits confirm the removal of the indexed files from search engine caches or if regulatory bodies in the EU or US initiate inquiries into the handling of PII under GDPR or similar privacy frameworks.
Disclaimer: This article is for informational purposes only and does not constitute legal or professional cybersecurity advice.
Do you use freelance marketplaces for your business? Let us know your thoughts on data privacy in the gig economy in the comments below.
