Full Report
A security researcher named Morpheuskafka has found that thousands of private files from the Tel Aviv-based gig-work website Fiverr were left open for anyone to view online. The leaked data allegedly includes very sensitive items like tax forms, photos of driving licences, and work contracts. These documents were not stored on a private, restricted server but were actually indexed…
Analysis Summary
# Incident Report: Exposure of Fiverr Private User Data via Google Search
## Executive Summary
A security researcher discovered that thousands of private files belonging to Fiverr users were publicly accessible and indexed by Google search results. The leak was caused by the platform’s failure to use authenticated or temporary URLs for documents stored via a third-party service, Cloudinary. This resulted in the exposure of highly sensitive Personally Identifiable Information (PII), including tax forms and government IDs.
## Incident Details
- **Discovery Date:** Reported April 17, 2026 (based on article publication)
- **Incident Date:** Ongoing until discovery
- **Affected Organization:** Fiverr (Tel Aviv-based gig economy platform)
- **Sector:** Technology / Gig Economy / E-commerce
- **Geography:** Global (Israel-based HQ)
## Timeline of Events
### Initial Access
- **Date/Time:** Undisclosed (Duration of misconfiguration)
- **Vector:** Insecure Direct Object Reference (IDOR) / Misconfigured Cloud Storage
- **Details:** Fiverr used public, static URLs for private user attachments instead of signed, expiring links.
### Lateral Movement
- **Movement:** Not applicable. This was a data exposure incident rather than a network intrusion. Public search engine crawlers (Google) moved through the public links to index the content.
### Data Exfiltration/Impact
- **Data Exposed:** Sensitive media and PDF documents including tax forms, driving license photos, PII, and work contracts.
- **Mechanism:** Files were indexed by Google, allowing anyone to find them via simple search queries.
### Detection & Response
- **Detection:** Discovered by independent security researcher "Morpheuskafka."
- **Response Actions:** Information made public via HackRead and Y Combinator; specific remediation actions by Fiverr (such as link revocation or implementing authenticated sessions) were not detailed in the source article but are implied requirements for resolution.
## Attack Methodology
- **Initial Access:** Publicly accessible cloud storage (Cloudinary) URLs.
- **Persistence:** Not applicable (Static public URLs remained active until manual intervention).
- **Discovery:** Google Search indexing/web crawling of public-facing pages containing links to private assets.
- **Collection:** Automated indexing by search engines.
- **Exfiltration:** Direct download via standard web browser—no specialized toolset required.
- **Impact:** Mass exposure of PII and private legal/financial documentation.
## Impact Assessment
- **Financial:** Potential for regulatory fines (GDPR, CCPA) and identity theft for affected users.
- **Data Breach:** Thousands of files containing high-value PII (SSNs on tax forms, ID numbers).
- **Operational:** Damage to the trust framework between gig workers and the platform.
- **Reputational:** Significant negative press regarding the handling of sensitive user data.
## Indicators of Compromise
- **Network indicators:** Traffic originating from Googlebot and other crawlers accessing subdomains or storage paths associated with res[.]cloudinary[.]com.
- **File indicators:** Publicly reachable .pdf, .jpg, and .png files containing sensitive keywords (e.g., "tax," "passport," "contract").
- **Behavioral indicators:** Indexing of authenticated-only content by external search engines.
## Response Actions
- **Containment:** (Requested/Recommended) Removal of sensitive links from public-facing pages and requesting de-indexing from Google.
- **Eradication:** Implementation of "Signed URLs" or "Expiring URLs" to ensure only authorized users can view attachments.
- **Recovery:** Notifying affected users of potential PII exposure.
## Lessons Learned
- **Key Takeaways:** Third-party integrations (Cloudinary) require the same security scrutiny as internal infrastructure. Reliance on "security by obscurity" (long URLs) is not a substitute for authentication.
- **Missed Opportunities:** The platform failed to implement `robots.txt` or `noindex` tags to prevent search engines from crawling sensitive directories, and lacked an authorization layer for file access.
## Recommendations
- **Access Control:** Implement Shared Access Signatures (SAS) or signed URLs that expire after a short duration for all user-uploaded content.
- **Search Engine Optimization (SEO) Security:** Use `X-Robots-Tag: noindex` headers on all sensitive file delivery responses.
- **Storage Strategy:** Move sensitive PII to private buckets that require an active session-token or OAuth verification to access, rather than relying on public URLs.