In early October 2025, cybersecurity researcher Jeremiah Fowler discovered a publicly accessible database belonging to Invoicely, a Vienna-based invoicing and billing platform used by over 250,000 businesses worldwide.
The repository contained 178,519 files in XLSX, CSV, PDF, and image formats, each harboring sensitive personal and financial information.
Among the exposed documents were invoices, scanned checks, tax filings, and ride-sharing receipts, revealing names, addresses, phone numbers, tax ID numbers, routing, and account details for healthcare providers, contractors, and corporate partners.
.webp "178,000+ Invoices With Customers Personal Records Exposes from Invoice Platform Invoicely 2")
The sheer volume and variety of records amplified the potential fallout, from identity theft and spear-phishing to invoice fraud and unauthorized financial transactions.
Initial investigation showed that the database lacked any form of encryption or password protection, leaving it wide open to anyone with basic knowledge of its URL structure.
Within hours of receiving Fowler’s responsible-disclosure notice via Invoicely’s support system, the company restricted public access.
However, the duration of exposure remains unknown, raising concerns over how many threat actors could have copied or monitored the data before containment.
Early risk scenarios include fraudulent invoice submission using genuine invoice templates, counterfeit tax filings leveraging stolen identifiers, and highly targeted phishing campaigns based on real transaction details.
Website Planet analysts noted that the database name itself—‘invoicely_backup_public’—suggested it may have been intended for internal backup or third-party migration but was misconfigured for public access.
This misstep underscores recurring lapses in cloud storage governance across SaaS providers, where rapid deployment and scaling often outpace security controls.
Fowler did not find evidence of active exploitation, yet the potential for undetected data harvesting remains significant given the window of exposure.
Data Exposure Mechanism
The misconfiguration stemmed from an unsecured Amazon S3 bucket, inadvertently set to “public-read” instead of restricted access. Attackers could enumerate buckets using tools like AWSBucketFinder or simple HTTP requests.
Below is a Python snippet illustrating how an adversary might list bucket contents:-
import boto3
s3 = boto3.client('s3', aws_access_key_id='', aws_secret_access_key='', config=boto3.session.Config(signature_version='s3v4'))
response = s3.list_objects_v2(Bucket="invoicely_backup_public")
for obj in response. Get('Contents', []):
print(obj['Key'])This script highlights the lack of authentication checks and demonstrates how a few lines of code can expose hundreds of thousands of files.
To mitigate such risks, SaaS providers must enforce strict access policies, automate storage audits, and adopt least-privilege principles when provisioning cloud resources.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
