Freelance services marketplace Fiverr denied a media report that it leaked sensitive data.
The company made the denial in a reply to a Cybernews post on X that invited readers to “Learn what sensitive documents are leaked.”
In the article to which its post linked, Cybernews reported that an anonymous security researcher with the alias “morpheuskafka” said in a post on Hacker News that a publicly exposed instance of storage service Cloudinary that likely belonged to Fiverr was leaking Fiverr users’ invoices, tax return forms, driver’s licenses, credentials and other sensitive documents.
The Cloudinary platform, which is used for uploading and storing files, has support for signed/expiring URLs, but Fiverr uses public URLs for communication between clients and workers, according to the report.
Cybernews reported that it confirmed that many of the documents had been indexed by Google and that search results from affected web servers returned sensitive information with personally identifiable information (PII). The report added that users on the Hacker News forum shared links to such documents.
“This is a major security lapse by Fiverr, due to the links being publicly accessible and indexable, a lot of resources are already being indexed by Google,” Aras Nazarovas, information security researcher at Cybernews, said in the report. “Essentially all files that were shared between service buyers and sellers, including personal identity documents, sensitive contracts, passwords, and API keys shared with contractors, finished and work-in-progress deliverables.”
Advertisement: Scroll to Continue
While individual files are exposed and publicly accessible, listing them requires the account’s API key, so the impact of the incident is limited to what the search engines have indexed, per the report.
In its reply to Cybernews’ post on X, Fiverr said: “To be clear, this is not a cyber incident. Fiverr does not proactively expose users’ private information. The content in question was shared by users in the normal course of marketplace activity to showcase work samples, under agreements and approvals between buyers and sellers. This type of content requires the buyer’s consent before it can be uploaded. As always, any request to remove content is handled promptly by our team.”
Cloudinary did not immediately reply to PYMNTS’ request for comment.
