Fiverr Misconfiguration Exposes User Tax Records and IDs via Google Search
What Happened — A configuration error in Fiverr’s cloud storage allowed private user documents—including tax records, government IDs, and other personal files—to be indexed by Google and appear in public search results. The issue was discovered by security researchers and publicly disclosed.
Why It Matters for TPRM —
- Sensitive personal data of freelancers and clients can be harvested for identity theft or fraud.
- Misconfigurations reveal gaps in a vendor’s data‑handling controls, raising questions about their overall security hygiene.
- Third‑party risk programs must assess whether such exposure could affect downstream services that rely on Fiverr’s platform.
Who Is Affected — Freelance marketplace users (individuals and small businesses) across all industries; the exposure is not limited to a specific sector but impacts any Fiverr account holder.
Recommended Actions —
- Review Fiverr’s security posture and confirm remediation of the storage misconfiguration.
- Verify that any data your organization shared via Fiverr (e.g., contracts, invoices) has not been exposed.
- Update third‑party risk assessments to reflect the incident and require evidence of improved configuration management.
Technical Notes — The exposure stemmed from an Amazon S3 bucket (or equivalent object store) that was set to public read access, allowing web crawlers to index files. No known CVE was involved; the root cause is a cloud storage MISCONFIGURATION. Exposed data types include tax documents, government‑issued IDs, and other personally identifiable information (PII). Source: HackRead