178,000+ Invoices from the Invoicely Platform Reveal Customer Information
178,000+ Invoices from the Invoicely Platform Reveal Customer Information
The cloud-based invoicing software Invoicely has been impacted by a large data exposure breach that may have compromised sensitive client information from all around the world.
178,519 files in a variety of forms, including Excel spreadsheets, CSV files, PDFs, and photos, were included in the publicly accessible database. The most alarming aspect was the total absence of security precautions; the information was neither encrypted nor password-protected, so anyone who found it online could access it.
During Fowler’s inquiry, bills from service providers, partners, employees, and clients in several nations were found to contain personally identifiable information, including names, physical addresses, phone numbers, and tax identification numbers.
In addition to the usual corporate documents, the database contained medical payment information, ride-sharing receipts, plane tickets, and health insurance details.
The discovery’s screenshots, which displayed scanned checks with nine-digit account, routing, and check numbers, demonstrated the seriousness of the financial data exposure.
Jeremiah Fowler, a cybersecurity researcher, found an unencrypted database with around 180,000 files, including tax returns, bank account information, invoices, and other private papers.
The database and its contents showed that Invoicely, a software company run by Stack Holdings GmbH with headquarters in Vienna, was the owner. In accordance with responsible disclosure guidelines, Fowler got in touch with Invoicely via their help platform right away.
Although the corporation did not formally reply to the leak, it acted swiftly, limiting public access to the information within hours of being notified.
Quarter Million Businesses
Businesses all over the world can use Invoicely’s cloud-based invoicing and billing services, which include tools for generating estimates, automating recurring billing, reminding customers to pay, and keeping track of spending and travel.
With a limited number of free users and paid tiers with more functionality, the site uses a freemium business model. According to their LinkedIn site, Invoicely services over 250,000 businesses and is accessible on both the iOS and Android platforms.
A healthcare provider’s scanned check that also contained the account number, check number, and 9-digit routing (ABA) number.
It’s still unknown how long the database was open to the public or whether material was accessed by unauthorized persons prior to Fowler’s discovery.
Furthermore, an internal forensic audit would be necessary to ascertain whether Invoicely or a third-party contractor was directly in charge of managing the database.
Invoice Fraud Threatens Organizations
This incident comes as concerns about invoice fraud are growing. According to the 2024 AFP Payments Fraud and Control Survey, 80% of firms encountered attempts at payment or invoice fraud in 2023, a 15% increase from the year before.
Criminals can use the extensive knowledge about financial accounts, payment procedures, and corporate ties that exposed invoice data gives them to create complex fraud schemes.
Because they include dates of birth, Social Security numbers, and employer information that makes identity theft possible, the leaked tax forms pose extra hazards.
Authorities blocked $54 million in bogus refunds during the 2025 tax season, and the IRS estimated that almost 6,000 fake tax forms were filed using stolen identities.
Security experts advise encrypting all stored data, doing frequent vulnerability assessments, and keeping up-to-date monitoring systems for businesses handling sensitive financial data.
Potentially impacted companies and people should update the passwords on associated accounts, keep an eye on credit reports for unusual activity, and confirm any unforeseen payment requests via official channels before proceeding.
The event emphasizes how crucial it is to secure cloud-based business platforms, especially those that manage the financial and personal data of hundreds of thousands of users globally.
About The Author:
Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blogs, he also writes for brands including Craw Security, Bytecode Security, and NASSCOM.
READ MORE NEWS HERE
‘Snake Keylogger’ Invoice Breaches Confidential Data By Hiding in ISO Files
About Author
English