Sensitive user data linked to Fiverr, a marketplace for freelance services, has been exposed online through publicly accessible file links, allowing documents to be discovered via search engines.
The exposure involves files stored on Cloudinary, a cloud-based media management service used to process and host user uploads. According to a security researcher cited in reporting, the platform was configured in a way that allowed documents to be indexed and accessed without authentication.
The leaked material includes a range of user-submitted documents shared through Fiverr’s messaging system. These files are reported to contain invoices, contracts, tax forms, and identity documents such as driver’s licenses. Some records also include credentials and other sensitive information tied to user accounts.
The exposed files could be accessed directly through URLs and were discoverable through standard Google searches, indicating that the data was not adequately restricted from public indexing. The issue is linked to how uploaded content was handled by the external service rather than a direct breach of Fiverr’s core systems.
According to the researcher, the vulnerability was disclosed to the company more than 40 days before the report was published. The individual stated that no response had been received during that period.
The Cloudinary service is commonly used to process images, PDFs, and other files shared between users, including work-related documents exchanged between freelancers and clients. In this case, those files appear to have been stored in a way that allowed unrestricted access if the correct links were known or indexed.
The dataset includes both personal and business-related information. Documents linked to transactions between users, including contracts and work deliverables, were among the materials identified. Identity-related files suggest that some users may have uploaded verification documents through the platform’s communication channels.
The full scope of the exposure, including the total number of affected users and files, has not been disclosed. It is also not confirmed how long the data remained accessible before being identified.