A third-party data exposure at Fiverr occurred due to the improper storage of user files on Cloudinary using persistent public URLs instead of secure, expiring links, which allowed search engines to index sensitive documents including IDs, tax forms, and contracts. No CVSS score, affected versions, fixed version, or immediate technical workaround are provided in the article. The incident highlights a critical cloud storage misconfiguration risk where reliance on third-party services requires explicit validation of access controls and link expiration policies.
Security Operations , Data Security , Cloud Security Fiverr faces scrutiny over exposed user files April 20, 2026 Share By SC Staff (Adobe Stock) According to HackRead, a security researcher discovered that thousands of files from the gig-work website Fiverr were accessible online due to alleged improper storage by a third-party service. The exposed data reportedly includes sensitive documents such as tax forms, driver's licenses, and work contracts. The data exposure occurred because Fiverr utilized Cloudinary for image and PDF storage, employing public URLs instead of secure, expiring links. These public URLs allowed search engines like Google to index the files, making them easily discoverable. The exposed information included official identification, private work deliverables, passwords, API keys, and tax records. A researcher notified Fiverr about the exposed files 40 days prior to public disclosure, but received no response. Fiverr has denied a security breach, asserting that users consented to sharing these files for marketplace activities. However, cybersecurity experts disagree, emphasizing that user consent for specific transactions does not equate to consent for public exposure. Cybersecurity experts advise users who shared identification or tax forms on the platform to monitor for identity theft and change credentials. Source: HackRead An In-Depth Guide to Cloud Security Get essential knowledge and practical strategies to fortify your cloud security. Learn More SC Staff Related Security Operations Express website vulnerability exposed customer order details SC Staff April 20, 2026 The vulnerability allowed unauthorized access to order confirmation pages, revealing customer names, phone numbers, email addresses, postal and billing addresses, and details of purchased items. SOC Your SOC, not the vendor’s: Why the AI SOC has to be customizable, not a black box Paul Wagenseil April 20, 2026 Only organizations that invest in customizable, agentic AI SOCs will turn AI into a strategic advantage. Security Operations Man sentenced for hacking U.S. Supreme Court and government systems SC Staff April 20, 2026 Nicholas Moore has been sentenced to one year of probation for hacking into the U.S. Supreme Court’s electronic document filing system multiple times over several months. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Blue Team Byte Checksum Cipher Ciphertext Cryptographic Hash Functions Daemon Data Encryption Standard (DES) Data Loss Prevention (DLP) Diffie-Hellman You can skip this ad in 5 seconds