• Home
  • cyber
  • Cloudinary and Fiverr: Fiverr Denies Report of Data Leak
cyber Vulnerability

Cloudinary and Fiverr: Fiverr Denies Report of Data Leak

Apr 15, 2026 2 min read
Cloudinary and Fiverr: Fiverr Denies Report of Data Leak

Fiverr Denies Data Leak After Sensitive User Documents Found Exposed

Freelance marketplace Fiverr has refuted claims of a data breach following reports that sensitive user documents were publicly accessible via an exposed Cloudinary storage instance. The denial came in response to a Cybernews investigation, which alleged that an anonymous security researcher identified as "morpheuskafka" discovered the leak on Hacker News.

According to Cybernews, the exposed Cloudinary instance, likely linked to Fiverr, contained invoices, tax forms, driver’s licenses, credentials, and other personally identifiable information (PII). The report confirmed that many of these documents had been indexed by Google, making them discoverable through search results. Security researcher Aras Nazarovas noted that the exposure stemmed from Fiverr’s use of public URLs for client-worker communications, rather than secured, expiring links.

While the files were individually accessible, the full scope of the leak was limited to what search engines had already indexed, as listing all exposed documents required an account’s API key. Users on Hacker News reportedly shared links to the compromised files, raising concerns over the platform’s handling of sensitive data.

In its response, Fiverr stated that the exposed content was shared voluntarily by users as part of marketplace activity, with buyer consent required for uploads. The company emphasized that it does not proactively expose private information and that removal requests are addressed promptly. Cloudinary has not yet commented on the incident.

Source: https://www.pymnts.com/cybersecurity/2026/fiverr-denies-report-of-data-leak/

Fiverr cybersecurity rating report: https://www.rankiteo.com/company/fiverr-com

Cloudinary cybersecurity rating report: https://www.rankiteo.com/company/cloudinary

"id": "FIVCLO1776270341",
"linkid": "fiverr-com, cloudinary",
"type": "Vulnerability",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': 'Users whose documents were '
                                              'exposed (scope unknown)',
                        'industry': 'Technology/E-commerce',
                        'name': 'Fiverr',
                        'type': 'Freelance Marketplace'}],
 'attack_vector': 'Misconfigured Cloud Storage',
 'data_breach': {'personally_identifiable_information': 'Yes',
                 'sensitivity_of_data': 'High (PII and sensitive documents)',
                 'type_of_data_compromised': ['Invoices',
                                              'Tax forms',
                                              'Driver’s licenses',
                                              'Credentials',
                                              'Personally Identifiable '
                                              'Information (PII)']},
 'description': 'Freelance marketplace Fiverr has refuted claims of a data '
                'breach following reports that sensitive user documents were '
                'publicly accessible via an exposed Cloudinary storage '
                'instance. The exposed documents included invoices, tax forms, '
                'driver’s licenses, credentials, and other personally '
                'identifiable information (PII). The files were indexed by '
                'Google, making them discoverable through search results.',
 'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
                                       'exposure of sensitive user data',
            'data_compromised': 'Sensitive user documents (invoices, tax '
                                'forms, driver’s licenses, credentials, PII)',
            'identity_theft_risk': 'High (due to exposure of PII and sensitive '
                                   'documents)',
            'systems_affected': 'Cloudinary storage instance'},
 'investigation_status': 'Ongoing (denial by Fiverr; no confirmation from '
                         'Cloudinary)',
 'post_incident_analysis': {'root_causes': 'Misconfigured Cloudinary storage '
                                           'instance; use of public URLs for '
                                           'sensitive document sharing'},
 'recommendations': 'Use secured, expiring links for client-worker '
                    'communications instead of public URLs; implement stricter '
                    'access controls for cloud storage instances.',
 'references': [{'source': 'Cybernews'},
                {'source': 'Hacker News (post by morpheuskafka)'}],
 'response': {'communication_strategy': 'Public denial of data breach; '
                                        'statement emphasizing user consent '
                                        'for uploads',
              'containment_measures': 'Removal requests addressed promptly '
                                      "(per Fiverr's statement)"},
 'title': 'Fiverr Denies Data Leak After Sensitive User Documents Found '
          'Exposed',
 'type': 'Data Exposure',
 'vulnerability_exploited': 'Public URLs for client-worker communications '
                            'instead of secured, expiring links'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.