Gig platform Fiverr exposed sensitive customer files, including documents containing Personally Identifiable Information (PII), due to a configuration error involving their asset storage. Instead of employing signed or expiring URLs for file delivery via the third-party service Cloudinary, the platform defaulted to public links for worker-client communications.

This configuration flaw allowed these sensitive PDFs and images to become indexed by search engines. A specific example showed that queries like `site:fiverr-res.cloudinary.com form 1040` returned hundreds of results, effectively making private work product publicly searchable. This setup completely bypasses basic security assumptions for handling financial documents.

Compounding the issue, the report suggests Fiverr actively ran Google Ads targeting keywords related to form filing, despite knowing the resulting artifacts were insecurely handled, potentially violating GLBA/FTC Safeguards Rules. Responsible disclosure attempts to Fiverr's security team over 40 days went unanswered before this information was made public.

Developers must ensure that asset services like Cloudinary or S3 are correctly utilized with access controls, especially when handling regulated data types. Relying on default public settings for communication channels involving financial or personal data creates an immediate, searchable compliance failure.