Fiverr has been storing customer files — including sensitive work products exchanged between clients and freelancers — in publicly accessible, non-signed Cloudinary URLs. These files, some containing personally identifiable information (PII) such as tax forms (Form 1040), are indexed by Google and appear in search results. The reporter notified Fiverr's security team 40 days prior with no response. Fiverr also runs Google Ads for tax-related keywords despite the exposure, potentially causing freelancers to violate GLBA/FTC Safeguards Rules. The disclosure was made public after no acknowledgment from Fiverr's security team.
Sort: