By: Bryan Tropeano
A security issue involving Cloudinary and the freelance marketplace Fiverr has raised concerns about how sensitive user data is handled and protected online.
The problem centers on a publicly exposed Cloudinary instance that appears to be tied to Fiverr’s infrastructure. Cloudinary is commonly used by companies to store and deliver images, PDFs, and other media files across the web. In this case, it was reportedly being used to process and serve files shared through Fiverr’s internal messaging system, including documents exchanged between freelancers and clients.
According to an anonymous security researcher who shared the findings on Hacker News, the exposed storage allowed direct access to files through publicly accessible links. The researcher stated that the issue had been disclosed to the company more than 40 days earlier, but no response was received.
Because the files were not properly restricted, search engines were able to index them. Investigators confirmed that results from affected servers included highly sensitive materials such as tax documents, driver licenses, invoices, and other records containing personally identifiable information. This type of exposure significantly increases the risk of identity theft, fraud, and unauthorized access to private accounts.
Security analysts say the scope of the leak could be extensive. The exposed files may include work shared between buyers and sellers on the platform, ranging from completed projects to drafts and internal documents. Some of the materials reportedly contain credentials, API keys, and other confidential data that should never be publicly accessible.
Aras Nazarovas, an information security researcher at Cybernews, described the situation as a major security lapse. The combination of public access and search engine indexing means that even if the issue is fixed, some of the data may have already been copied or archived by third parties.
I have personally sent contracts, invoices, and project files through platforms like Fiverr before, assuming everything inside those systems was private by default. Most people do. You are focused on getting work done, not thinking about whether a file link could end up indexed on a search engine. That is what makes situations like this especially concerning.
The incident highlights a broader issue with cloud-based storage systems. When misconfigured, services like Cloudinary can unintentionally expose large volumes of data to the open internet. Proper access controls, authentication, and indexing restrictions are critical to prevent this type of breach.
As of now, it remains unclear how many users may be affected or whether all exposed files have been secured. Users who have shared sensitive documents through Fiverr may want to monitor their accounts and consider taking precautionary steps such as updating passwords and reviewing any shared credentials.
This case serves as a reminder that even widely used platforms can face serious security challenges when third party services are not properly configured.
About the author: Bryan Tropeano is a senior producer and a regular reporter for NewsWatch. He lives in Washington D.C. and loves all things Tech.
