Invoicely leaks nearly 180,000 files containing sensitive financial and personal data

Cybersecurity researcher Jeremiah Fowler discovered a publicly exposed database containing 178,519 files belonging to Invoicely by Stack Holdings GmbH, a Vienna-based SaaS portfolio company. 

The database exposed sensitive business and personal information, including invoices, financial documents, tax records, and personally identifiable information (PII) of customers, employees, service providers, and partners. The database was secured within hours of responsible disclosure.

Invoicely is a cloud-based invoicing and billing platform that provides tools for creating estimates, automating recurring billing, sending payment reminders, and tracking time, expenses, and vehicle mileage. According to the company's LinkedIn page, Invoicely serves more than 250,000 businesses worldwide.

The exposed database contained files in multiple formats including xlsx, csv, pdf, and various image formats. Exposed data includes:

• Names of customers, employees, service providers, and partners
• Physical addresses
• Phone numbers
• Email addresses
• Tax ID numbers and Social Security Numbers (SSNs)
• Dates of birth
• Banking information including routing (ABA) numbers and account numbers
• Scanned images of checks with check numbers
• Invoices and purchase orders
• Work and time-tracking records
• Tax documents including sensitive employer details
• Airline tickets and travel receipts
• Ride-sharing service receipts
• Health insurance documentation
• Medical payment records
• Business transaction details
• Employment agreement information

The number of affected individuals is not disclosed. Fowler did not receive a response from Invoicely and the company has not issued a public statement about the incident. 

It is not clear how long the database was exposed before discovery or whether any unauthorized parties accessed the information during that period.