Fiverr Exposed: Sensitive Client Files, Including Tax Forms, Found Publicly Searchable via Cloudinary

Fiverr, the gig work platform, has left sensitive customer files—including tax documents with personal identifiable information (PII)—publicly accessible and searchable on Google. The exposure stems from the company's use of Cloudinary, a service that processes PDFs and images shared between workers and clients. Instead of using secure, signed URLs with expiration dates, Fiverr configured Cloudinary to serve these assets via public, non-expiring links. This fundamental security misstep has effectively turned a private messaging channel into an open repository.

The technical failure is compounded by evidence that Fiverr may be serving public HTML pages that link directly to these files. A simple Google search using the query 'site:fiverr-res.cloudinary.com form 1040' reveals hundreds of exposed documents, many containing sensitive financial and personal data. This creates a direct compliance crisis: by inadequately securing the work product, Fiverr may be causing the independent tax preparers on its platform to violate regulations like the GLBA and the FTC Safeguards Rule.

Adding to the severity, Fiverr continues to actively purchase Google Ads for keywords related to tax form filing, driving traffic to its services while the underlying security flaw persists. The exposure places both freelancers and their clients at significant risk of identity theft and data misuse. As of this report, 40 days have passed since the issue was reportedly disclosed to the company, raising critical questions about Fiverr's internal security protocols and its prioritization of rapid growth over customer data protection.