{"id":45476,"date":"2026-04-16T18:42:45","date_gmt":"2026-04-16T10:42:45","guid":{"rendered":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/04\/16\/researchers-say-fiverr-left-user-files-open-to-google-search\/"},"modified":"2026-04-16T18:42:45","modified_gmt":"2026-04-16T10:42:45","slug":"researchers-say-fiverr-left-user-files-open-to-google-search","status":"publish","type":"post","link":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/04\/16\/researchers-say-fiverr-left-user-files-open-to-google-search\/","title":{"rendered":"Researchers Say Fiverr Left User Files Open to Google Search"},"content":{"rendered":"\n<p>A security researcher named <a target=\"_blank\" rel=\"noopener\" href=\"https:\/\/news.ycombinator.com\/item?id=47769796\">Morpheuskafka<\/a> has found that thousands of private files from the Tel Aviv-based gig-work website <a target=\"_blank\" rel=\"noopener\" href=\"https:\/\/hackread.com\/malware-hits-freelancers-at-fiverr-and-freelancer-com\/\">Fiverr<\/a> were left open for anyone to view online. The leaked data allegedly includes very sensitive items like tax forms, photos of driving licences, and work contracts. These documents were not stored on a private, restricted server but were actually indexed and appeared in Google search results.<\/p>\n<h3><strong>How the Data Was Exposed<\/strong><\/h3>\n<p>Fiverr uses a third-party service called <a target=\"_blank\" rel=\"noopener\" href=\"https:\/\/hackread.com\/image-format-conversion-web-security-performance\/\">Cloudinary<\/a> to manage and store the images and PDFs that users send to each other. And, instead of using signed or expiring URLs that only authorised users could open, the platform, reportedly, used public URLs. <\/p>\n<div>\n<figure><a target=\"_blank\" rel=\"noopener\" href=\"https:\/\/hackread.com\/wp-content\/uploads\/2026\/04\/fiverr-left-user-files-open-to-google-search-3.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"357\" src=\"https:\/\/hackread.com\/wp-content\/uploads\/2026\/04\/fiverr-left-user-files-open-to-google-search-3-1024x357.png\" srcset=\"https:\/\/hackread.com\/wp-content\/uploads\/2026\/04\/fiverr-left-user-files-open-to-google-search-3-1024x357.png 1024w, https:\/\/hackread.com\/wp-content\/uploads\/2026\/04\/fiverr-left-user-files-open-to-google-search-3-300x104.png 300w, https:\/\/hackread.com\/wp-content\/uploads\/2026\/04\/fiverr-left-user-files-open-to-google-search-3-768x267.png 768w, https:\/\/hackread.com\/wp-content\/uploads\/2026\/04\/fiverr-left-user-files-open-to-google-search-3-1536x535.png 1536w, https:\/\/hackread.com\/wp-content\/uploads\/2026\/04\/fiverr-left-user-files-open-to-google-search-3-380x132.png 380w, https:\/\/hackread.com\/wp-content\/uploads\/2026\/04\/fiverr-left-user-files-open-to-google-search-3-800x279.png 800w, https:\/\/hackread.com\/wp-content\/uploads\/2026\/04\/fiverr-left-user-files-open-to-google-search-3-1160x404.png 1160w, https:\/\/hackread.com\/wp-content\/uploads\/2026\/04\/fiverr-left-user-files-open-to-google-search-3.png 1726w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" alt=\"Researchers Say Fiverr Left User Files Open to Google Search\" \/><\/a><figcaption>Researcher on HN explaining the issue<\/figcaption><\/figure>\n<\/p><\/div>\n<p>Since some of these links were placed on public pages, search engines were able to crawl and list them, which is why a simple search could bring up a user\u2019s personally identifiable information (<a target=\"_blank\" rel=\"noopener\" href=\"https:\/\/hackread.com\/carlsberg-event-wristband-leaked-pii-disclose\/\">PII<\/a>). The types of data found include:<\/p>\n<ul>\n<li>Official ID cards and driving licences<\/li>\n<li>Private work deliverables and contracts<\/li>\n<li>Passwords and API keys used for software<\/li>\n<li>Tax records and invoices containing physical addresses<\/li>\n<\/ul>\n<p>Morpheuskafka first spotted the problem and notified Fiverr\u2019s security team via email around 40 days before making the news public, but the company didn\u2019t reply. Interestingly, it was found that Fiverr even paid for <a target=\"_blank\" rel=\"noopener\" href=\"https:\/\/hackread.com\/malicious-google-ads-mac-fake-mac-cleaner\/\">Google Ads<\/a> for keywords like &#8220;form 1040 filing,&#8221; even though these specific tax forms were among the files that were not properly secured.<\/p>\n<div>\n<figure><a target=\"_blank\" rel=\"noopener\" href=\"https:\/\/hackread.com\/wp-content\/uploads\/2026\/04\/fiverr-left-user-files-open-to-google-search-2.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"990\" src=\"https:\/\/hackread.com\/wp-content\/uploads\/2026\/04\/fiverr-left-user-files-open-to-google-search-2-1024x990.png\" srcset=\"https:\/\/hackread.com\/wp-content\/uploads\/2026\/04\/fiverr-left-user-files-open-to-google-search-2-1024x990.png 1024w, https:\/\/hackread.com\/wp-content\/uploads\/2026\/04\/fiverr-left-user-files-open-to-google-search-2-300x290.png 300w, https:\/\/hackread.com\/wp-content\/uploads\/2026\/04\/fiverr-left-user-files-open-to-google-search-2-768x743.png 768w, https:\/\/hackread.com\/wp-content\/uploads\/2026\/04\/fiverr-left-user-files-open-to-google-search-2-1536x1485.png 1536w, https:\/\/hackread.com\/wp-content\/uploads\/2026\/04\/fiverr-left-user-files-open-to-google-search-2-380x367.png 380w, https:\/\/hackread.com\/wp-content\/uploads\/2026\/04\/fiverr-left-user-files-open-to-google-search-2-800x773.png 800w, https:\/\/hackread.com\/wp-content\/uploads\/2026\/04\/fiverr-left-user-files-open-to-google-search-2-1160x1122.png 1160w, https:\/\/hackread.com\/wp-content\/uploads\/2026\/04\/fiverr-left-user-files-open-to-google-search-2.png 1838w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" alt=\"Researchers Say Fiverr Left User Files Open to Google Search\" \/><\/a><figcaption>Snippit of the exposed files on Google (Image credit: Hackread.com)<\/figcaption><\/figure>\n<\/p><\/div>\n<h3><strong>Fiverr Denies a Security Breach<\/strong><\/h3>\n<p>Fiverr has <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/sqmagazine.co.uk\/fiverr-security-flaw-private-documents-google\/\">categorically denied<\/a> the claim, stating that this is not a cyberattack or a security incident because users gave their permission for these files to be shared as part of their work. A spokesperson for the firm said:<\/p>\n<p>&#8220;Fiverr does not proactively expose users\u2019 private information. The content in question was shared by users in the normal course of marketplace activity to showcase work samples, under agreements and approvals between buyers and sellers.&#8221;<\/p>\n<p>However, cybersecurity experts <a target=\"_blank\" rel=\"noopener\" href=\"https:\/\/x.com\/CR1337\/status\/2044398253714952535?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E2044398253714952535%7Ctwgr%5E19cdbbde853a585c86a9c2b6b62461ace14ebd53%7Ctwcon%5Es1_c10&amp;ref_url=https%3A%2F%2Fhackread.com%2Fwp-admin%2Fpost.php%3Fpost%3D143998action%3Dedit\">disagree with this view<\/a>. They argue that even if a user agrees to share a file with one client, it does not mean they want it to be public for everyone to find. Experts suggest that anyone who has shared their ID or tax forms on the site should monitor their accounts for signs of <a target=\"_blank\" rel=\"noopener\" href=\"https:\/\/hackread.com\/identity-theft-ways-secure-identity-online\/\" data-type=\"post\" data-id=\"86479\">identity theft<\/a>. It is also a good idea to change any login credentials that were sent through the platform\u2019s messaging system.<\/p>\n<h3><strong>Expert View on Data Handling<\/strong><\/h3>\n<p>In a comment shared with Hackread.com, <a target=\"_blank\" rel=\"noopener\" href=\"https:\/\/www.linkedin.com\/in\/davestuart\">David Stuart<\/a>, Cybersecurity Evangelist, Sentra, explained that this situation is a classic example of how sensitive data can spread and be handled incorrectly. He said:<\/p>\n<div style='margin: 8px auto; text-align: center; display: block; clear: both;'> <script async src=\"https:\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js?client=ca-pub-3675825324474978\"      crossorigin=\"anonymous\"><\/script>  <ins      style=\"display:inline-block;width:300px;height:250px\"      data-ad-client=\"ca-pub-3675825324474978\"      data-ad-slot=\"3421156210\"><\/ins> <script>      (adsbygoogle = window.adsbygoogle || []).push({}); <\/script><\/div>\n<p>&#8220;Fiverr\u2019s incident is a textbook case of sensitive data sprawl and misconfigured third-party infrastructure: highly sensitive documents (including tax returns, IDs, health records, and even admin credentials) were stored on Cloudinary behind unauthenticated, non-expiring URLs, then surfaced via public HTML so Google could index them, remaining accessible for weeks after initial disclosure and hours after public reporting.&#8221;<\/p>\n<p>According to Stuart, the issue was not a complex hack but a simple failure to use the right safety settings. &#8220;This isn\u2019t a zero-day exploit; it\u2019s a failure to understand where regulated data lives, how it rapidly proliferates and is shared across services, and whether controls like signed URLs, authentication, and proper indexing rules are actually in place,&#8221; he noted.<\/p>\n<p>He suggested that companies need to be better at finding and categorising the private data they hold to prevent these &#8220;unlocked door&#8221; leaks. He added that security teams must be able to:<\/p>\n<p>&nbsp;&#8220;Identify when business workflows push regulated content into the wrong systems, prioritize remediation before search engines or adversaries find it, and demonstrate that these risks are being monitored continuously as data environments expand.&#8221;<\/p>\n<div >\n<div>\n<div>\n<div>\n<h5> \t\t\t\t\t\t<a target=\"_blank\" rel=\"author\" href=\"https:\/\/hackread.com\/author\/deeba\/\"> \t\t\t\t\t\t\tDeeba Ahmed\t\t\t\t\t\t<\/a> \t\t\t\t\t<\/h5>\n<div> \t\t\t\t\t\t\t<a target=\"_blank\" rel=\"author\" href=\"https:\/\/hackread.com\/author\/deeba\/\"> \t\t\t\t\t\t\t\t<img src='https:\/\/secure.gravatar.com\/avatar\/9fefbe13a37a8aeb4620dfe89bb7feabd9433643ff382b6b882f27837a4cfb72?s=80&#038;d=mm&#038;r=g' srcset='https:\/\/secure.gravatar.com\/avatar\/9fefbe13a37a8aeb4620dfe89bb7feabd9433643ff382b6b882f27837a4cfb72?s=160&#038;d=mm&#038;r=g 2x' height='80' width='80' alt=\"Researchers Say Fiverr Left User Files Open to Google Search\" \/>\t\t\t\t\t\t\t<\/a> \t\t\t\t\t\t<\/div>\n<div>\n<div> \t\t\t\t\t\t\t\tDeeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform\u2019s trusted coverage.\t\t\t\t\t\t\t<\/div>\n<div>\n<div> \t\t<a href=\"https:\/\/hackread.com\/author\/deeba\/\" target=\"\"> \t\t\tView Posts\t\t<\/a> \t<\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>A security researcher named Morpheuskafka has found tha [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-45476","post","type-post","status-publish","format-standard","hentry","category-hackread"],"_links":{"self":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts\/45476","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/comments?post=45476"}],"version-history":[{"count":0,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts\/45476\/revisions"}],"wp:attachment":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/media?parent=45476"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/categories?post=45476"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/tags?post=45476"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}