Update: Fiverr denies allegations of a cybersecurity incident on X.

“To be clear, this is not a cyber incident. Fiverr does not proactively expose users’ private information. The content in question was shared by users in the normal course of marketplace activity to showcase work samples, under agreements and approvals between buyers and sellers. This type of content requires the buyer’s consent before it can be uploaded. As always, any request to remove content is handled promptly by our team.”

▲

xtrial972 2 days ago | parent [-]

this is because you copied the link with the token, token is generated for your logged in user. strip the token and it wouldn't work. other users does not have your token.

	▲	ChrisMarshallNY 2 days ago \| parent \| next [-]
		You send the bearer token as a GET argument? I’m sure there’s a good reason for that. I do it, in a server that I publish for general use, but won’t do it, for the server that I control, as I make sure that it reads headers. Some PHP servers ignore auth headers (and, I suspect, other APIs), so you need to set general-purpose frameworks and servers to use GET arguments, but that’s a security issue, for exactly the reason you state. Too easy to leak logins. If you use headers, then copy and pasting URLs won’t leak logins. In any case, the token should be timed, but that’s a fairly weak precaution.
	▲	viaredux 2 days ago \| parent \| prev [-]
		That's true, I just checked. I will edit my post, thanks!