Home » Security News » Fiverr Users’ Private Documents Found Public...

Fiverr Users’ Private Documents Found Publicly Accessible via Google

Deepanker Verma April 16, 2026 Security

Add Techlomedia as a preferred source on Google.

A serious data exposure issue has surfaced involving Fiverr, where sensitive user documents have reportedly been indexed and made accessible via Google Search. The exposed data includes invoices, tax return forms, driver’s licenses, and other personally identifiable information.

The issue appears to be linked to a misconfigured instance of Cloudinary, a service used to store and deliver media files. According to an anonymous security researcher, Fiverr may have been using public URLs instead of secure, signed links for files shared between users.

This is not a typical breach involving exploitation, but a case of improper access control. However, the impact can still be severe. If sensitive files are publicly accessible and indexable, they are effectively exposed.

The researcher, who shared the findings on Hacker News under the alias “morpheuskafka,” claims the issue was responsibly disclosed over 40 days ago. However, they say there was no response from Fiverr’s security team.

What makes this situation more concerning is that many of these files have already been indexed by search engines. Reports confirm that tax documents, identity proofs, and even internal credentials have appeared in search results.

This seems to be a design-level issue. When platforms rely on public URLs for file delivery, especially in user-to-user communication, the risk of unintended exposure increases. Even a single indexed page can lead to large-scale data discovery.

Interestingly, the exposed data is not limited to personal documents. It also includes work deliverables like marketing materials, academic content, and even penetration testing reports. Some users have reportedly found API keys and admin credentials, which increases the risk further.

Users who have shared sensitive documents on Fiverr should assume potential exposure. It is advisable to rotate any shared credentials, monitor for identity misuse, and stay alert for suspicious activity.

This incident shows that most platforms focus on functionality and ease of sharing, but overlook secure defaults. Public file access without strict controls can quickly turn into a large-scale data exposure.

Follow Techlomedia on Google News to stay updated.

Affiliate Disclosure:

This article may contain affiliate links. We may earn a commission on purchases made through these links at no extra cost to you.

About the Author: Deepanker Verma

Deepanker Verma is the Founder and Editor-in-Chief of TechloMedia. He holds Engineering degree in Computer Science and has over 15 years of experience in the technology sector. Deepanker bridges the gap between complex engineering and consumer electronics. He is also a a known Security Researcher acknowledged by global giants including Apple, Microsoft, and eBay. He uses his technical background to rigorously test gadgets, focusing on performance, security, and long-term value.