Fiverr Security Flaw Reveals Private Documents Online

Private documents shared on Fiverr may have been exposed publicly through misconfigured file storage and indexed by search engines.

Quick Summary – TLDR:

• Sensitive Fiverr user files were reportedly accessible via public links.
• Some documents appeared in Google search results, raising privacy concerns.
• Researchers claim the issue was disclosed earlier but received no response.
• Fiverr says content was shared with user consent and is not a security incident.

What Happened?

A potential security issue at Fiverr has raised alarms after reports suggested that user uploaded documents were accessible through public URLs and indexed by Google. Researchers found that files shared between freelancers and clients could be accessed without authentication.

The issue appears linked to how Fiverr configured its use of a cloud media platform, allowing documents to be publicly available instead of restricted to authorized users.

This is so bad: Fiverr left customer files including personally identifiable information (PII) completely public and Google-searchable.

They used plain Cloudinary public URLs instead of signed ones for all gig comms, responsible disclosure to security@fiverr.com was ignored for… pic.twitter.com/4VrIDmycEG

— CR1337 (@CR1337) April 15, 2026

Public Links and Search Indexing Raise Concerns

The situation came to light after a security researcher, posting under the name morpheuskafka, shared findings online. According to the report, Fiverr uses a cloud service to handle files exchanged between users, including PDFs and images.

Instead of using secure, expiring links, the system reportedly relied on public URLs, meaning anyone with the link could access the content.

Even more concerning, some of these links were embedded in publicly accessible pages. This allowed search engines like Google to crawl and index them. As a result, users were able to find documents simply by searching specific queries.

Reports indicate that indexed files may include:

• Tax forms and invoices
• Driver licenses and identification records
• Passwords and API credentials
• Contracts and work deliverables

Security researchers confirmed that at least some files hosted through these URLs were directly accessible via a browser without login requirements.

Researcher Claims and Industry Reaction

The researcher claims that Fiverr was notified about the issue around 40 days before it became public, but there was no response from the company. This delay has raised questions about how quickly such vulnerabilities are handled.

Cybersecurity experts reviewing the case described it as a major lapse in data handling practices, especially given the type of sensitive information potentially involved.

One expert noted that while not all files could be easily listed without special access, the exposure through search engines significantly increased the risk.

Users on online forums reacted strongly, with some calling it a serious breach of trust. Others pointed out the irony of security certifications appearing among the exposed files.

Fiverr Responds to the Allegations

Fiverr has pushed back on the characterization of the issue as a cybersecurity incident. A company spokesperson said:

The company has not provided further details about whether changes have been made to its file access settings.

What Users Should Do Now?

Until there is more clarity, experts recommend that Fiverr users take extra precautions:

• Avoid uploading highly sensitive documents unless necessary.
• Use password protection for files when possible.
• Immediately change any credentials shared on the platform.
• Monitor accounts for signs of unauthorized activity or identity misuse.

SQ Magazine Takeaway

I think this situation highlights a bigger issue that goes beyond just Fiverr. Platforms handling user data need to treat every file as sensitive by default, not as optional. Even if users consent to sharing documents, that does not mean those files should be discoverable through a simple Google search.

In my view, calling this “not a cybersecurity incident” feels like a stretch. When personal data can be accessed publicly, intent matters less than impact. Companies need to move faster, communicate clearly, and prioritize user trust above everything else.