Hacker Claims Fiverr User Data Exposed via Third-Party Cloud Service

**TL;DR:** A hacker claims to have accessed Fiverr user data—including tax returns, driving licenses, and physical addresses—through a third-party media service, though the company denies any breach of its systems.

Fiverr, the Tel Aviv-based freelance marketplace with millions of users worldwide, is facing allegations that sensitive user information was exposed online. A threat actor operating under the alias "Morpheuskafka" claims to have obtained PDFs, images, and videos containing tax returns, invoices, driving licenses, physical addresses, and information about users' family members.

The hacker asserts the data was not extracted directly from Fiverr's internal systems. Instead, the attacker alleges the information was accessed through Cloudinary, a cloud-based media management service commonly used for handling images and video content. This distinction matters: if confirmed, the exposure would represent a supply chain compromise rather than a direct breach of Fiverr's infrastructure.

According to claims made publicly, the potential exposure window spans approximately 40 days. The hacker states multiple attempts were made to notify Fiverr management before releasing information publicly. Fiverr has denied the breach allegations, stating there is no confirmed compromise of its systems.

The distribution method amplifies the potential impact. The attacker allegedly uploaded documents to a cloud storage platform and employed search engine optimization techniques to increase visibility in Google search results—a tactic that could make sensitive data more accessible to anyone conducting related searches.

What It Means:

This incident highlights the expanding attack surface created by third-party service dependencies. Even if Fiverr's own systems remain uncompromised, the alleged access through Cloudinary demonstrates how attackers can reach sensitive data through trusted vendors. Organizations entrusting user data to external services must verify those vendors' security postures and ensure appropriate access controls are in place.

The SEO-based distribution method represents a particularly concerning escalation. Unlike traditional data leaks confined to dark web forums, search-engine-optimized exposures create near-immediate accessibility for malicious actors, journalists, or anyone curious enough to search.

What Defenders Should Do:

1. Audit third-party integrations and cloud service permissions—ensure vendors follow least-privilege principles and have documented security controls.

2. Implement data loss prevention (DLP) controls on media upload pathways to detect sensitive documents being stored in unintended locations.

3. Monitor for exposed credentials and PII associated with your organization using Google Alerts or dedicated threat intelligence platforms.

4. Establish clear incident response procedures for third-party vulnerability reports, including defined response timelines.

5. Review Cloudinary's security documentation and ensure any configured access policies restrict data exposure to intended use cases only.

Watch for further developments as the investigation continues—whether Fiverr's denial holds or additional evidence emerges to substantiate the claims.