Fiverr denies data leak after researchers say private user files were indexed by Google

Researchers say sensitive Fiverr user files, including tax documents, IDs, contracts, and credentials, were publicly accessible through Google search results after files hosted on a Cloudinary domain appeared to be exposed without authentication. Multiple reports published this week say the documents were discoverable through publicly reachable URLs tied to Fiverr’s file handling workflow.

Fiverr has pushed back on the characterization of the event as a breach or cyber incident. In a public statement quoted by several outlets, the company said it “does not proactively expose users’ private information” and argued the content in question had been shared by users during normal marketplace activity under agreements between buyers and sellers.

That response has not ended the controversy. Researchers and news outlets say the core issue was not whether files were exchanged legitimately between buyers and freelancers, but whether those files should ever have been reachable by the public web and indexable by search engines in the first place.

What researchers say happened

The reports point to Fiverr’s use of Cloudinary for hosting files shared in its messaging system. According to the researcher account posted on Hacker News and later amplified by other outlets, files uploaded through Fiverr messaging were stored on public Cloudinary URLs rather than access-controlled or expiring links.

Researchers say that setup allowed search engines to crawl and index some of those documents once the URLs became visible on publicly accessible pages or pathways. Several reports say the exposed material included PDFs and images containing tax forms, invoices, ID documents, contracts, passwords, API keys, and work deliverables.

Cybernews reported that the exposed Cloudinary instance was likely associated with Fiverr and said it independently confirmed that many of the documents had been indexed by Google. That independent confirmation has become one of the main reasons the story gained traction beyond the original Hacker News disclosure.

Why the Cloudinary angle matters

Cloudinary itself is not the story here. The concern centers on how Fiverr may have configured access to files stored there. Reports say Cloudinary supports signed or time-limited delivery methods, but the files in question appeared to sit behind public URLs that did not require login or short-lived authorization.

If that description holds, the result is less like a traditional hack and more like a privacy exposure caused by weak access controls. A document can stay “private” in user intent while still becoming public in practice if the hosting layer treats the link itself as open to anyone who finds it.

That distinction matters for platforms that move sensitive paperwork between users. Tax and identity documents do not need a hostile intrusion to become a serious incident. Public indexing alone can create a material privacy risk, especially when search engines cache or surface files faster than a platform can take them down.

Fiverr’s response so far

Fiverr has denied that the situation amounts to a breach. The company’s statement, quoted by Privacy Guides and other outlets, says the content was shared by users “in the normal course of marketplace activity” and that Fiverr does not proactively expose private information.

That wording may help explain Fiverr’s position, but it does not directly answer the main question critics are asking. Even if users consented to sharing files with a specific counterparty on Fiverr, that does not mean they consented to broad public access through search indexing.

At the time of the latest reports, Fiverr had not publicly issued a detailed technical explanation describing what was exposed, how long it remained exposed, how many users were affected, or whether Google de-indexing and direct file access controls had been fully addressed. Based on the reporting I found, those points remain unclear.

What users should do now

Users who sent highly sensitive files through Fiverr should take the situation seriously, even while facts continue to develop. If you shared tax forms, identity documents, credentials, or financial records, watch for signs of identity theft and consider rotating any passwords or keys that may have been exposed. This is a precautionary recommendation based on the nature of the reported documents.

Freelancers and clients should also review where they exchange sensitive paperwork going forward. Platforms built for creative collaboration and gig delivery are not always the right place for tax records, government IDs, or secrets that create lasting risk if exposed. That is a practical inference from the reported file types and the alleged access model.

For Fiverr, the immediate trust issue goes beyond one vendor integration. Users need proof that file access controls, indexing protections, and incident response processes actually match the sensitivity of the data the platform handles every day.

At a glance

Item	Current picture
Main allegation	Sensitive Fiverr files were publicly reachable and indexed by Google
Reported storage layer	Cloudinary
Reported exposed content	Tax forms, IDs, invoices, contracts, credentials, work files
Discovery source	Researcher post on Hacker News, later confirmed by multiple outlets
Fiverr’s position	Denies a cyber incident or data leak characterization
Public uncertainty	Scope, duration, total user impact, and full remediation details

Key points

• Researchers say private Fiverr user files were exposed through publicly accessible Cloudinary links that search engines indexed.
• Cybernews said it verified that many documents had appeared in Google indexing results.
• Fiverr publicly denied that the situation was a cyber incident or breach.
• The most important unresolved question is not whether users shared files intentionally with each other, but whether those files should ever have been publicly reachable.

FAQ