Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Apr 19, 2026 · 7 min read

Your Fiverr Tax Forms Are on Google—And Fiverr Says That's Not a Breach

A researcher dorked up 30,000 private Fiverr documents via a Cloudinary misconfiguration. Fiverr disclosed privately 40 days before going public. Fiverr's answer: this is "normal marketplace activity."

Sometime around early March 2026, a security researcher using the handle "Morpheuskafka" sat down at a Hacker News tab, typed a string of very specific search operators into Google, and watched the results pour in. Tax returns with Social Security numbers. Driver's licenses. Passports. API keys. Contracts. Spreadsheets with client lists. More than 30,000 private documents that Fiverr users believed they were sending privately to one other human.

Morpheuskafka sent the findings to Fiverr's security team. Fiverr did not reply. Forty days later, on April 15, 2026, the researcher went public. The company's response was not an apology or a patch—it was a statement saying no breach had occurred at all.

Laptop screen showing blurred search results with paper documents scattered on a desk, representing the Fiverr Cloudinary data exposure

The Mechanism Is Embarrassingly Simple

Fiverr uses Cloudinary, a popular image and asset hosting service, to store files that users attach to messages. Cloudinary supports something called signed URLs—links that include a cryptographic signature and an expiration timestamp, so that only authorized users can open them and only for a limited window. That feature is built for exactly this use case.

Fiverr did not use it.

Instead, when a freelancer uploaded a tax form or a client uploaded a contract through Fiverr's in platform messaging, the file was stored on a public URL under fiverr-res.cloudinary.com. The URL never expired. It required no authentication. And whenever one of those URLs appeared on any public page—a forum post, a gig description, a third party site mirroring Fiverr content—Google's crawler treated it as fair game.

A simple Google search operator—site:fiverr-res.cloudinary.com filetype:pdf—was all it took to watch the leak live. Morpheuskafka documented 30,000 distinct links surfaced this way. The majority were PDFs. Many were exactly the documents freelancers and their clients most want to keep private:

  • U.S. W-9 and 1099 tax forms with full names, addresses, and Social Security numbers
  • International tax residency forms
  • Driver's licenses and passport scans used for identity verification
  • Invoices with physical addresses and client contact info
  • Screenshots of internal dashboards including API keys and passwords
  • Confidential project deliverables and contracts under NDA
  • ID card scans used for age or identity proof

Fiverr's Position: This Is Not a Breach

When the story broke, Fiverr issued a statement that contested the entire framing of the report. "To be clear, this is not a cyber incident. Fiverr does not proactively expose users' private information," the company said. The documents, Fiverr argued, had been "shared by users in the normal course of marketplace activity to showcase work samples, under agreements and approvals between buyers and sellers." Anyone who wanted a specific file removed could "request" it and Fiverr would "promptly" handle it.

The explanation does not survive a close read. A freelancer who uploads a W-9 to receive payment from a single buyer did not consent to that W-9 being indexed on the public web. A client who sends their driver's license through an identity verification flow did not agree for Google to surface it in search results. Consent to share with one person is not consent to publish.

What Fiverr's statement does not address is the technical choice that caused the exposure: Cloudinary's signed URL feature was available, documented, and free to use. Fiverr opted for public URLs with no expiration. That was the decision, and that decision is what got indexed.

How to Check If Your Own Documents Are Exposed

If you have ever uploaded an attachment to Fiverr—whether as a buyer or seller—here is how to check quickly without waiting for Fiverr's support queue.

  • Google dork your email address. In Google, paste site:fiverr-res.cloudinary.com "your@email.com" and replace the email with yours. If results appear, one of your files is indexed.
  • Search by filename patterns. Try site:fiverr-res.cloudinary.com filetype:pdf "W-9" or similar queries with form names you remember uploading.
  • Use Google Images as a second check. Cloudinary serves both images and PDFs from the same hostname. An image search for your name or face can surface ID scans.
  • Check the Wayback Machine. Even if Fiverr eventually removes a file, the Internet Archive may have cached it. Search fiverr-res.cloudinary.com for cached copies.

If you find something, do not just request removal through Fiverr's support form. Removing the file from Cloudinary does not remove it from Google's index. You also need to submit a removal request through Google's Search Console Removals Tool, and separately contact the Wayback Machine to request delisting.

The Bigger Pattern: Third Party Storage Misconfiguration

What happened at Fiverr is part of a broader category of breaches that do not require any hacking. The data was never "stolen"—it was published by the company itself, just to a URL the company assumed no one would find. This is the same pattern seen in Microsoft's AI research team's open Azure bucket in 2023, in Toyota's decade long Google Cloud misconfiguration, and in countless S3 buckets sitting on publicly indexed endpoints.

The common thread is an implicit assumption that "hard to guess" URLs equal "private." That assumption breaks the moment one of those URLs ever leaves the private context. A single support ticket quoting the URL, a single blog post showing a screenshot, and the entire namespace becomes searchable. Cloudinary, S3, GCS, and every similar service publish guidance warning against this pattern. Companies keep ignoring it.

For developers and security teams, the IPPC pharmacy breach from this same week and this Fiverr story point in the same direction: the interesting part of a breach is rarely the attacker's cleverness. It is the defender's configuration choice that treated the storage layer as trustworthy on its own.

What You Can Actually Do Now

If you are a Fiverr user:

  • Run the Google dorks above to check for your own documents.
  • Request removal from Fiverr in writing—email, not just the support form—so you have a paper trail.
  • Submit Google's URL removal request for any exposed file.
  • If tax forms or ID documents were exposed, place a credit freeze and watch for targeted phishing referencing any project you worked on.
  • Going forward, do not upload sensitive documents through Fiverr messaging. Use a dedicated secure transfer service with actual access controls—Proton Drive, a signed Cloudinary URL you generate yourself, or email with end to end encryption.

If you run a platform that stores user uploads on a CDN, the lesson is one configuration change away: signed URLs with short expirations, for every asset. It is free. It is documented. Fiverr could have done it. So can you.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.