A large volume of private business and personal records was left exposed online after a database belonging to, or linked with, the invoicing and billing platform Invoicely was discovered with no password or encryption.
Cybersecurity researcher Jeremiah Fowler was the first one to discover this database. According to the researcher, the database held nearly 180,000 files containing sensitive information from clients, partners, and employees around the world.
For your information, the Vienna-based Invoicely (by Stack Holdings GmbH) is a cloud-based platform that helps users with creating estimates, managing billing, sending payment reminders, and tracking things like time and vehicle mileage. The platform is widely used, reportedly by more than 250,000 businesses worldwide.
What Was Exposed
The exposed database held exactly 178,519 files, including invoices, various tax forms, images of checks, and banking details. The data was found in common formats like CSV and PDF. This material also included Personally Identifiable Information (PII – private data like names and addresses) such as names, physical addresses, phone numbers, and tax identification numbers. Furthermore, Fowler found other documents that should be kept private, such as airline tickets and medical payment receipts.
The Risks Associated with Open Data
The exposure of this kind of data creates serious risks for identity theft and financial fraud, as it gives cybercriminals a wealth of information to exploit. For example, the presence of names, addresses, and financial account numbers could be used for highly targeted attacks, including spear-phishing.
Also, the exposure of invoices can be used in invoice fraud, where criminals trick companies into making fake payments. According to the 2024 AFP Payments Fraud and Control Survey, 80% of organisations experienced some form of invoice fraud attack in 2023.
This research, which was shared with Hackread.com, points out that organisations that handle this sensitive data should encrypt it to make it “extremely difficult to access without the correct credentials,” even if it is exposed.
It is worth noting that while the database was quickly taken offline after the researcher notified the company, following a responsible disclosure practice. However, it remains unknown if the database was managed by Invoicely directly or by a third-party contractor, how long the information was publicly accessible, or if any unauthorised person accessed the data. Therefore, users are advised to use multi-factor authentication and avoid reusing passwords.
