A database left open on the internet without encryption or password protection exposed 178,519 files in formats including XLSX, CSV, PDF, and image files. A review of some of the files revealed sensitive information, such as invoices containing personally identifiable information (PII) — names, addresses, phone numbers, tax ID numbers, and other details of employees, customers, partners, and service providers worldwide. Other exposed records included airline tickets, ride-share receipts, health insurance paperwork, and medical payment documents that should never have been made public.

Metadata and the database’s own naming suggested the records were linked to Invoicely, a product owned by Vienna-based SaaS portfolio company Stack Holdings GmbH. After sending a responsible disclosure report through Invoicely’s support system, access to the database was locked down within hours. However, it is unclear whether Invoicely itself or an outside contractor managed the system, how long the data was exposed, or if unauthorized parties accessed it before it was secured. No response was received to the disclosure notice, and only a forensic investigation could confirm the extent of exposure.

Invoicely, a cloud-based invoicing and billing service, offers tools for estimates, recurring billing, payment reminders, and tracking expenses, time, and mileage. It provides both free and paid plans and supports iOS and Android. The company’s LinkedIn profile states the service is used by more than 250,000 businesses globally.

One of the leaked documents was a scanned check for a healthcare provider, complete with routing number, account number, and check number. Other exposed content included tax forms, purchase orders, time-tracking logs, and financial records, all of which could present significant risks if exploited. The variety of data stored in one place makes it a potential goldmine for identity theft, fraud, spear-phishing, and social engineering schemes. With access to names, emails, tax IDs, and financial details, attackers could impersonate individuals, manipulate transactions, or target high-value victims.

A growing concern is invoice fraud, which has risen sharply in recent years. The 2024 AFP Payments Fraud and Control Survey found that 80% of organizations were targeted by payment or invoice scams in 2023 — up 15% from 2022. Attackers often use insider-like details to craft convincing invoices, redirect payments, or commit identity theft. Similarly, tax records with personal identifiers and Social Security or tax ID numbers open the door to fraudulent tax filings. For example, during the 2025 U.S. tax season, the IRS reported blocking 6,000 fraudulent returns worth about $54 million. While there’s no indication Invoicely’s clients have faced such threats, the exposure highlights real-world risks.

Recommendations for companies handling invoicing and accounting platforms include:

• Limiting data collection and retention wherever possible.
• Encrypting sensitive data so it cannot be read without proper credentials.
• Implementing continuous monitoring, logging, vulnerability scans, and penetration tests.
• Ensuring third-party vendors also meet strict security standards.

Advice for individuals and businesses potentially affected by a breach:

• Change passwords, enable multi-factor authentication, and avoid reusing passwords.
• Check credit reports or use credit-monitoring services to detect suspicious activity.
• Businesses should be cautious of unsolicited or duplicate invoices and always verify requests through official channels.
• Keep thorough records, monitor financial statements, and adopt verification steps to detect and prevent fraud attempts.