Invoicely Platform Accidentally Exposes Over 178,000 Invoices Containing Personal Records

Cybersecurity researcher Jeremiah Fowler, working with Website Planet, discovered a publicly accessible, non-password-protected database containing 178,519 unencrypted files apparently linked to Invoicely, a cloud-based invoicing SaaS operated by Vienna-based Stack Holdings GmbH.

The exposed documents spanning XLSX, CSV, PDF, and image formats were found during routine security research and secured within hours following a responsible disclosure notice.

Within a limited sampling, Fowler identified invoices storing personally identifiable information (PII) such as names, addresses, email contacts, phone numbers, tax ID numbers, and transaction records.

Other sensitive documents included scanned checks with routing and account numbers, tax filings, work logs, airline tickets, rideshare receipts, and health payment records. These files potentially exposed both individuals and businesses to significant privacy and financial risks.

While database metadata suggested ownership by Invoicely, its exact operational control remains uncertain an internal team or a third-party contractor could have managed it. The duration of exposure is unknown, and it is unclear if unauthorized parties accessed the data before discovery.

Fowler did not receive a direct response from Invoicely after notification, though access restrictions were promptly applied.

Invoice Fraud and Identity Theft Concerns

The scope of the exposed content creates multiple potential attack vectors. Access to real invoices, purchase orders, and account numbers could facilitate invoice fraud, a rising global threat.

According to the 2024 AFP Payments Fraud and Control Survey, 80% of surveyed organizations reported invoice fraud attempts in 2023, up 15% from the prior year.

Attackers could leverage details such as vendor names and payment histories to craft convincing fraudulent requests, redirecting funds to malicious accounts.

Other risks include identity theft via exposed tax documents, which contained SSNs or tax IDs, birth dates, employer details, and earnings information.

Fraudulent tax filings, while less common than invoice scams, remain disruptive; in 2025, the IRS blocked an estimated $54 million USD in attempted fraudulent returns linked to stolen identities.

The leaked records could also enable spear-phishing and social engineering campaigns, targeting high-value individuals based on business transaction data.

Cloud Misconfigurations and Preventive Measures

The incident underscores the dangers of insecure cloud storage configurations often caused by mismanaged AWS S3, ElasticSearch, or MongoDB instances, where data is left exposed without encryption or authentication.

Fowler recommended limiting data collection to essential fields, encrypting sensitive files so they remain unreadable without valid credentials, and implementing continuous monitoring and activity logging to detect unauthorized access attempts.

Regular vulnerability scanning and penetration testing should extend to both internal infrastructure and third-party contractors.

For potentially affected individuals and companies, proactive defensive measures include updating credentials, enabling multi-factor authentication, monitoring credit reports, and verifying all payment instructions against official channels.

Invoicely, which provides invoicing, billing automation, payment reminders, and expense tracking to over 250,000 global users via mobile and web applications, has not issued a public comment as of the time of reporting.

Fowler’s disclosure made clear that no evidence currently suggests active exploitation of the exposed dataset. The publication aims to raise awareness about proper data protection practices and prevent similar exposures in financial and accounting platforms worldwide.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Invoicely Platform Accidentally Exposes Over 178,000 Invoices Containing Personal Records appeared first on Cyber Security News.