Fiverr Denies Data Leak Allegations Following Reports of Exposed Cloud Storage
Learn More
Fiverr, the global freelance services marketplace, faced allegations of a significant data exposure on April 15, 2026, following reports from security researchers. An anonymous researcher using the alias "morpheuskafka" first highlighted the issue on Hacker News, claiming a publicly accessible storage instance was leaking sensitive user documents.
While Fiverr has officially denied that the event constitutes a cyber incident, third-party researchers assert that a security lapse allowed private files to be indexed by search engines. The company maintains that the files found online were shared voluntarily by users during normal business transactions.
The exposure is caused by the configuration of a Cloudinary storage instance allegedly belonging to Fiverr. Unlike secure implementations that use signed or expiring URLs to restrict access, the report indicates that Fiverr used public URLs for communication between clients and freelancers. This configuration allowed search engine crawlers, such as Google, to index sensitive files shared within the marketplace. Security researcher Aras Nazarovas noted that while listing all files requires an API key, individual documents became publicly accessible once indexed, effectively bypassing intended privacy controls.
The exposed data includes:
- Invoices and financial records
- Tax return forms
- Driver's licenses and identity documents
- Sensitive contracts and legal agreements
- Passwords and API keys shared with contractors
- Finished and work-in-progress deliverables
Screenshot of indexed files, source Cybernews
The number of affected individuals is not disclosed.
Fiverr responded to the reports by stating that the situation does not represent a security breach but a normal course of marketplace activity. The company claims that the content in question consists of work samples shared by users under mutual agreements and that such uploads require buyer consent. Fiverr emphasized that they handle content removal requests promptly and do not proactively expose private information.
However, researchers pointed out that the presence of personally identifiable information (PII) like driver's licenses and tax forms in search results contradicts the claim that only work samples were affected.
Users of freelance platforms should avoid sharing highly sensitive documents like tax forms or clear-text credentials through built-in chat or file-sharing tools. Professionals are advised to use encrypted, external sharing methods for PII and to monitor search engine results for their own names to identify potential leaks.
