Cybersecurity researcher Jeremiah Fowler discovered and reported to Website Planet a non-password-protected database containing 27,000 records belonging to Vroom by YouX, an Australia-based fintech company specializing in automotive financing.
The publicly exposed Amazon S3 database contained sensitive records, including driver’s licenses, Medicaid cards, employment statements, and bank statements with account numbers and partial credit card details. The database’s internal files indicated ownership by Vroom by YouX, formerly known as Drive IQ. An internal screenshot also revealed another MongoDB storage instance with 3.2 million documents, though its accessibility was not confirmed.
Upon discovery, a responsible disclosure notice was sent to Vroom, and the database was quickly restricted from public access. AWS S3 is considered a NoSQL database, which is why it is referenced as a “database” in this report. It remains unclear whether Vroom by YouX or a third-party contractor owned and managed the exposed database.
The duration of the exposure and whether unauthorized access occurred is unknown, as only an internal forensic audit could determine additional access or suspicious activity. Vroom responded the following day, stating they had resolved the vulnerability and planned a post-incident review to determine necessary process improvements.
Launched in June 2022 by Drive IQ Technology, Vroom is an AI-powered dealership finance platform designed to streamline vehicle financing by matching customers with lenders. In 2023, Drive IQ rebranded to YouX. The leaked records range from 2022 to 2025.
Although references to Vroom and Drive IQ were present, there were no direct mentions of YouX. The service was previously described as reviewing customer identification and credit information, analyzing vehicle details, and using AI matching algorithms to generate pre-approved finance offers. Drive IQ claims to be Australia’s largest online marketplace for car loans.
Identity documents are required for financing approval, but such records should never be publicly accessible. While the database contained images of users’ documents, proprietary coding or development details of Vroom’s technology were not present. Any exposure of identification and financial documents carries serious risks, as cybercriminals can use them for fraud, social engineering, and impersonation.
The presence of partial credit card numbers in JSON files further increases risks, as criminals could cross-reference previous breaches to reconstruct full card details or use phishing scams to extract missing information. While there is no immediate evidence that Vroom customers are being targeted, such data exposures highlight the real-world dangers associated with unsecured financial records.
According to a 2024 study by Sophos, 65 percent of financial organizations have fallen victim to ransomware attacks. As fintech continues evolving, cybersecurity must keep pace with emerging threats.
Fintech companies should implement stringent security measures for both customer-facing applications and internal storage systems. End-to-end encryption of sensitive data, strict access controls, and multi-factor authentication (MFA) for users and employees are essential protections. Regular security audits and penetration testing can help identify vulnerabilities and prevent data exposures.
Additionally, companies should adopt data minimization policies, storing only necessary records and deleting outdated information to reduce liability. Active monitoring and anomaly detection can further safeguard data by identifying suspicious activity before it escalates into a full-blown breach.
When personal information is exposed, affected users should be promptly notified so they can take protective measures. Customers should monitor their credit reports and financial accounts for unusual activity, reporting any suspicious transactions to their financial institution and relevant authorities.
Cybercriminals often exploit data breaches for phishing attempts, impersonating financial institutions to extract additional information. Individuals should verify the authenticity of any unexpected requests for sensitive data and use official communication channels when handling personal information.
Updating passwords and enabling MFA on potentially compromised accounts can add an extra layer of security. If identity theft is suspected, individuals in Australia should contact the Australian Cyber Security Centre (ACSC) and report incidents to Scamwatch to help prevent further fraud.
InfotechLead.com News Desk
