Click on 'current usage' in your account and it takes you to your current invoice, which is accessible via the URL that he mentions. It appears to be only the current months usage / invoice that is vulnerable.

EDIT: removing URLs because it's the right thing to do.

Yikes - so are past invoices available as well then via the show/:id url?