A massive data exposure linked to the invoicing and billing platform Invoicely left nearly 180,000 private files accessible online without password protection or encryption.

The unprotected database, discovered by cybersecurity researcher Jeremiah Fowler, contained sensitive business and personal data from clients, partners, and employees around the world. Invoicely, operated by Vienna-based Stack Holdings GmbH, serves more than 250,000 businesses globally.

The database reportedly contained 178,519 files, including invoices, tax forms, banking details, check images, and personal information such as names, addresses, phone numbers, and tax identification numbers. Some documents also included private materials like airline tickets and medical payment receipts. The exposure of this data poses serious risks of identity theft, financial fraud, and invoice scams, as criminals could leverage the detailed financial records for targeted phishing or fraudulent payment requests.

Following Fowler’s responsible disclosure, the database was swiftly taken offline. However, it remains unclear whether it was directly managed by Invoicely or by a third-party contractor, how long it was exposed, or whether any unauthorized access occurred. Security experts stress the importance of data encryption, strong access controls, and multi-factor authentication to protect users and organizations from similar incidents in the future.