Vroom by YouX leaks sensitive financial documents in unsecured database

The cybersecurity researcher Jeremiah Fowler discovered that the Australian fintech company Vroom by YouX (formerly Drive IQ) was leaking a data via an unsecured Amazon S3 database containing 27,000 sensitive financial and identity records.

Vroom was launched in June 2022 by Drive IQ Technology as an AI-powered dealership finance platform that matches customers with vehicle lenders. The company rebranded from Drive IQ to YouX in 2023. According to their website, they claim to be "Australia's largest online marketplace for car loans."

The publicly accessible database contained highly sensitive documents including:

• Driver's licenses
• Medicaid cards
• Employment statements
• Bank statements with account numbers
• Partial credit card numbers (first 3 and last 4 digits)

In addition to the exposed S3 database, Fowler observed an internal screenshot revealing information about a MongoDB storage instance reportedly containing 3.2 million documents. While Fowler did not verify if this MongoDB instance was publicly accessible, he noted that exposing information about internal storage locations creates additional potential security risks.

The exact number of individuals affected beyond the 27,000 exposed records is not disclosed.

Fowler sent a responsible disclosure notice to Vroom, after which the database was secured and access restricted.

The affected records dated from 2022 through 2025 and contained references to both Vroom and Drive IQ, though no mentions of the company's newest brand name, YouX, were observed. It's unclear whether the database was managed directly by Vroom by YouX or by a third-party contractor, and the duration of the exposure before discovery is unknown.

Update - As of 16th of February 2026, Australian financial technology platform youX (formerly Drive IQ) reports a significant data breach on February 17, 2026 the hacker claims that the database remained accessible ten months following the initial discovery. This allowed the attacker to scrape data related to over 90 downstream lenders and hundreds of broker organizations.

The hacker claims the compromised data includes:

• Financial details for 444,538 unique borrowers
• 629,597 loan applications
• 229,236 Australian driver’s licenses
• 607,822 residential addresses
• 8,000 password hashes belonging to broker employees
• Data for 797 broker organizations, including ABNs, banking details, and staff directories and customer portfolios 

The number of affected individuals is possibly 444,538. The company confirmed an incident but has not disclosed details. The comany notified the Office of the Australian Information Commissioner (OAIC) and the Australian Cyber Security Centre (ACSC) and started an investigation.

The organization will begin notifying affected individuals whose personal information was compromised.