An unsecured database, left online without a password or encryption, exposed 178,519 files in various formats including spreadsheets, PDFs, CSV files, and images. A review of a portion of these documents revealed invoices that contained personally identifiable information (PII) — such as names, addresses, phone numbers, tax identification numbers, and more — belonging to employees, partners, customers, and service providers across multiple countries. The archive also contained documents that should never have been publicly accessible, such as airline tickets, ride-share receipts, and medical and insurance payment records.

Clues within the database, including its naming conventions, suggested that the information belonged to Invoicely, a service operated by Stack Holdings GmbH, a Vienna-based software portfolio company. After filing a responsible disclosure notice through Invoicely’s customer support system, the database was quickly secured and taken offline within hours. However, it remains unclear whether the database was directly managed by Invoicely or by a third-party vendor, how long it had been exposed, or whether any malicious actors accessed the data before it was locked down. No response was received to the disclosure notification, and only a full internal forensic review could confirm whether unauthorized access occurred.

Invoicely is a cloud-based billing and invoicing platform that allows users to create estimates, automate recurring payments, track time and expenses, and send reminders. It offers both free and paid plans and is available on iOS and Android. The company’s LinkedIn profile indicates the platform serves more than 250,000 businesses worldwide.

One exposed record included a scanned check issued to a healthcare provider, complete with the routing number, account number, and check number. Other leaked content included purchase orders, tax files, time logs, and work records. The broad mix of information concentrated in one place could be highly valuable to cybercriminals, enabling a wide range of potential attacks. With access to personal and financial details, criminals could attempt identity theft, fraud, spear-phishing, and targeted social engineering scams. Knowledge of specific business transactions or employment data could also help attackers single out high-value targets.

A growing risk tied to such leaks is invoice fraud. The 2024 AFP Payments Fraud and Control Survey revealed that 80% of organizations faced invoice or payment fraud attempts in 2023, up 15% from the year before. Fraudsters often manipulate or forge invoices using real company data to trick victims into transferring money into fraudulent accounts. With access to names, billing addresses, account numbers, and transaction histories from a breach, scammers can craft convincing fake invoices and redirect funds.

Leaked tax records also present risks such as fraudulent tax filings, since they often include Social Security numbers, employer details, and dates of birth. For example, during the 2025 U.S. tax season, the IRS intercepted 6,000 fraudulent returns valued at around $54 million. Even when these attempts are blocked, they cause serious inconvenience for victims, who may face lengthy disputes with tax authorities. While there’s no direct evidence that Invoicely customers were affected, these scenarios demonstrate the real-world dangers such exposures can create.

Security recommendations for companies running invoicing or accounting services include:

  • Minimizing the amount of personal data collected and stored.
  • Encrypting sensitive data so it remains unreadable without credentials.
  • Using monitoring systems and logging tools to catch suspicious activity.
  • Running frequent vulnerability scans and penetration tests to catch weaknesses early.
  • Holding third-party vendors to the same data security standards.

Steps for individuals and organizations potentially impacted by a breach:

  • Reset passwords on any affected accounts, use multi-factor authentication, and avoid reusing passwords across services.
  • Review credit reports regularly or sign up for monitoring services to detect suspicious activity.
  • Businesses should confirm the legitimacy of invoices and payment requests through official channels and watch for duplicates or altered account details.
  • Keep thorough records, review financial statements often, and implement verification procedures to spot fraud early.