178K Invoicely Records Exposed in Cloud Data Leak

In early October 2025, cybersecurity researcher Jeremiah Fowler discovered an unprotected database linked to Invoicely, a Vienna-based invoicing and billing platform used by more than 250,000 businesses worldwide. 

The exposed repository contained 178,519 files, including invoices, scanned checks, tax documents, and receipts — each containing sensitive personal and financial information.

“The publicly exposed database was not password-protected or encrypted,” said Fowler.

SaaS missteps highlight ongoing cloud security challenges

The incident underscores the persistent risks associated with cloud misconfigurations and data governance failures in the software-as-a-service (SaaS) sector. 

Exposed records contained personally identifiable information (PII) and payment details that could be exploited for identity theft, invoice fraud, or targeted phishing attacks.

Invoicely’s platform provides cloud-based tools for automating billing, recurring payments, and expense tracking. 

Given its wide adoption by small businesses, freelancers, and corporations alike, Invoicely’s exposure raises concerns about the security posture of SaaS vendors handling sensitive customer and financial data.

Unsecured S3 bucket behind Invoicely data exposure

The data leak stemmed from an unsecured Amazon S3 bucket misconfigured with “public-read” permissions  —  meaning anyone who knew the URL structure could access its contents. 

No authentication or encryption protected the files, leaving them vulnerable to simple enumeration tools such as AWSBucketFinder.

The researcher noted that the bucket’s name, invoicely_backup_public, suggested it may have been intended for internal backups or migration. 

However, the absence of security controls made it fully accessible to the public internet. 

According to Fowler, “It is also not known how long the database was exposed before I discovered it or if anyone else may have gained access to it. Only an internal forensic audit could identify additional access or potentially suspicious activity.” 

Although no evidence of exploitation has surfaced as of this publication date, the potential damage is significant. The trove of exposed data could enable invoice forgery, fraudulent tax filings, or social engineering attacks leveraging real transaction details.

Building a stronger cloud security foundation

To reduce the likelihood and impact of future data exposures, organizations should adopt a layered security strategy that combines technical controls, proactive monitoring, and a culture of accountability.

• Strengthen cloud governance: Enforce strict storage policies, use cloud security posture management (CSPM) tools to detect misconfigurations, and audit access controls for compliance.
• Protect and limit data: Encrypt data in transit and at rest, reduce retention, and deploy data loss prevention (DLP) tools to prevent unauthorized exposure.
• Tighten identity and access controls: Apply zero-trust, require MFA, and enforce least-privilege access through role-based access control (RBAC) or attribute-based access control (ABAC).
• Embed security in DevOps: Integrate security checks into IaC and CI/CD pipelines with regular automated vulnerability testing.
• Enhance response and vendor oversight: Maintain a tested incident response plan, monitor for anomalies, and hold vendors to equal security standards.
• Foster a security-first culture: Provide continuous security training and promote responsible disclosure through bug bounty programs.

By implementing these measures, organizations can reduce their risk of cloud misconfigurations, data leaks, and insider threats.

Balancing scalability and security in the cloud era

As organizations increasingly rely on SaaS platforms, the rush to deploy scalable services often outpaces secure configuration management.

According to the 2024 AFP Payments Fraud and Control Survey, 80% of organizations experienced invoice fraud attempts in 2023  —  a 15-percentage-point rise from 65% (2022) to 80% (2023). 

Exposures like Invoicely’s provide malicious actors with the perfect toolkit to launch convincing fraud campaigns, magnifying risks across the financial ecosystem.

While Invoicely responded swiftly to secure its systems, the event serves as a cautionary tale for all cloud-based service providers: data visibility must never come at the expense of security. 

As cloud adoption accelerates, even a single misconfigured backup can expose thousands of customers to identity and financial fraud.

Given the growing risks of data exposure, organizations should carefully evaluate which cloud storage providers offer the reliability, security, and compliance features needed to protect their data.