Invoicely, a cloud-based billing and accounting platform used by small businesses worldwide, has reportedly suffered a significant data breach exposing sensitive records from customers, partners, and employees. The incident, disclosed in a report by cybersecurity researcher Jeremiah Fowler and published by Website Planet, revealed that a database containing nearly 180,000 files was left publicly accessible without password protection.
The unsecured dataset included documents in XLSX, CSV, PDF, and image formats. According to the report, the exposed materials contained a wide range of personally identifiable information (PII) such as full names, physical and email addresses, phone numbers, tax identification numbers, and, in some cases, financial account details. Fowler said the data appeared to belong to individuals and organisations across multiple countries, reflecting the company’s global user base.
The exposure was discovered as part of Fowler’s routine web security research. He reported that the open database could have allowed unauthorised access to sensitive business and personal information for an unknown period before discovery. Invoicely, which operates as a digital invoicing and payments service, has not yet issued a formal public statement about the breach or confirmed the timeframe of the exposure.
Cybersecurity experts warn that such unprotected databases can become easy targets for cybercriminals. The combination of financial details and identification numbers, they note, creates an elevated risk of identity theft, financial fraud, and phishing campaigns. Attackers could also use the information to impersonate individuals or businesses in social engineering schemes.
“The volume and nature of this data make it highly valuable for exploitation,” Fowler noted in the report. “Even partial information, such as tax numbers or email addresses linked to invoices, can be used to construct convincing scams.”
Data breaches involving financial software providers have become increasingly common as small and mid-sized businesses adopt cloud-based tools to manage operations. Analysts say the Invoicely incident underscores ongoing concerns about security standards within SaaS-based accounting and billing platforms, particularly those serving global markets where compliance regimes differ.
While no evidence has yet surfaced of malicious use, cybersecurity professionals advise affected organisations and individuals to exercise caution. Common recommendations include monitoring for unusual account activity, resetting passwords, and avoiding unsolicited emails requesting personal or payment information.
Website Planet stated that it notified Invoicely of the exposure and that the database was secured shortly after disclosure. The report did not specify whether the incident has been reported to relevant data protection authorities, though regulations such as the EU’s General Data Protection Regulation (GDPR) would require notification if European residents’ data were included.
As of publication, Invoicely had not publicly confirmed the breach or commented on remediation steps. The company’s website continues to promote its invoicing and payment solutions to freelancers, agencies, and small businesses across more than 100 countries.
