Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
UNC6692 Hackers Deploy SNOW Malware via Microsoft Teams Helpdesk Impersonation
July 9, 2026
Bridging Threat Intelligence to SOC Action: A Guide for Security Teams
July 9, 2026
Foxit PDF Reader & Editor Patches 20 Critical RCE Flaws
July 9, 2026
Home/CyberSecurity News/Fiverr Exposes User Data to Google Indexing
CyberSecurity News

Fiverr Exposes User Data to Google Indexing

Key Takeaways Fiverr has inadvertently exposed sensitive user files, including tax documents, to public Google search indexing. The exposure stems from a misconfiguration of Fiverr’s...

Jennifer sherman
Jennifer sherman
April 18, 2026 3 Min Read
34 0

Key Takeaways

  • Fiverr has inadvertently exposed sensitive user files, including tax documents, to public Google search indexing.
  • The exposure stems from a misconfiguration of Fiverr’s third-party file-hosting service, Cloudinary, which generated public, rather than authenticated, URLs for attachments.
  • Personal identifiable information (PII) from both freelancers and clients is at risk of public access, potentially violating data protection regulations like the FTC Safeguards Rule and GLBA.
  • Fiverr has yet to publicly address the issue or implement a fix, despite a responsible disclosure made 40 days prior to public revelation.

Freelance services giant Fiverr is currently facing a significant privacy crisis after researchers uncovered sensitive customer files readily accessible and indexed by Google search engines. This incident puts personal identifiable information (PII) at risk for countless users.

Table Of Content

  • Key Takeaways
  • The Cloudinary Misconfiguration
  • What You Should Do

A recent disclosure on Hacker News detailed how an improperly configured file-hosting system made private documents, including completed tax forms exchanged between freelancers and clients, publicly available.

The Cloudinary Misconfiguration

The core of this data exposure lies in Fiverr’s internal messaging system’s approach to file sharing. The platform utilizes Cloudinary, a third-party service, to manage and host images and PDF documents, including final deliverables sent to clients.

While Cloudinary offers functionalities akin to Amazon S3 storage buckets, supporting secure, expiring web links, Fiverr’s implementation reportedly failed to leverage these security features. Instead of requiring authentication for access, Fiverr allegedly configured the service to generate fully public URLs for these sensitive attachments. This oversight allowed search engines, including Google, to crawl and index these files, making them discoverable by anyone.

The presence of these files in public search results suggests that the public links might have been inadvertently exposed through unprotected HTML pages within Fiverr’s network.

The ramifications of this misstep are considerable. Specific Google search queries can allegedly unearth private documents. For instance, a site-specific search for “form 1040” on Fiverr’s Cloudinary domain reportedly reveals private tax documents containing highly sensitive financial and personal data.

The researcher highlighted a notable irony: Fiverr actively invests in Google Ads for tax preparation services, yet the platform failed to secure the very financial work products resulting from these services. This exposure immediately raises concerns about regulatory compliance. By not adequately securing financial documents, Fiverr and its associated tax preparation freelancers could be in breach of the FTC Safeguards Rule and the Gramm-Leach-Bliley Act (GLBA), both of which mandate stringent protections for consumer financial data.

The researcher who identified the vulnerability claims to have adhered to standard responsible disclosure protocols. A comprehensive vulnerability report was submitted to Fiverr’s designated security team 40 days prior to public disclosure. Following a lack of response or remediation efforts from the company, the researcher decided to publish the findings on Hacker News to alert affected users.

What You Should Do

  • Cease sensitive document transfers: Both freelancers and clients should immediately stop sending highly sensitive documents, such as tax forms, government IDs, or medical records, through Fiverr’s internal messaging system.
  • Monitor for identity theft: Clients who have previously engaged freelancers for financial or tax preparation services on Fiverr should actively monitor their credit reports and financial accounts for any suspicious or unauthorized activity.
  • Review past communications: Users should review their past Fiverr communications to identify any sensitive documents that may have been shared and assess their potential exposure.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

HackerSecurityVulnerability

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Mirai Variant Exploits TBK DVR Vulnerability to Expand Botnet

Next Post

Researcher Uses Claude Opus to Build Working Chrome Exploit Chain

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Meta’s Muse AI Tool Exposes Instagram User Photos to the Public
July 9, 2026
HalluSquatting Attack Poisons AI Coding Assistants to Install Botnet Malware
July 9, 2026
QR Code Phishing Attacks Steal Credentials and Deliver Malware
July 9, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us