Australian digital platform youX has confirmed unauthorised access to its systems by a third party, after a threat actor released data it claims to have obtained during the incident.
The company stated it had identified that personal information may have been compromised as a result of the breach, which it had flagged as an IT security incident about one week earlier.
“We are now aware that a threat actor has released data that it claims to have obtained as part of its unauthorised access,” youX said in a statement. “As a result, we have identified that personal information may have been compromised.”
youX said it had notified the Office of the Australian Information Commissioner (OAIC) throughout the matter and would continue lodging appropriate regulatory notifications. The company said it would also begin notifying affected individuals whose information may have been compromised.
“In accordance with our legal obligations, we have kept the Office of the Australian Information Commissioner (OAIC) informed throughout this matter,” the company said.
youX said it had engaged specialist external experts to examine the nature and scope of the incident and was also working with the Australian Cyber Security Centre.
The company said it had implemented additional security controls and enhanced monitoring across its systems following the breach.
“We regret that this incident has occurred and recognise the importance of transparency,” youX said. “We remain focused on reinforcing and sustaining robust resilience measures across the organisation, consistent with recognised industry standards and best practice frameworks.”
youX said its investigation remained ongoing and that it would provide further updates as the matter progressed.
According to reporting by Cyber Daily, the threat actor claims to have exfiltrated 141 GB of data from a MongoDB Atlas cluster, with a “preview” of the full dataset allegedly containing “$3.7 billion in loan applications across 149,349 records, submitted to 93 lenders, with 5,010 driver’s licences, 5,955 residential histories, and 5,955 employment records.” The hacker has threatened to release further tranches of data in stages.
More than 8,000 password hashes belonging to various broker employees have also been compromised as part of the incident. The threat actor also referenced a March 2025 report by white hat researcher Jeremiah Fowler, who first identified an insecure MongoDB instance belonging to the company – then operating as Vroom by youX – and alleged the instance remained accessible some 10 months later.
The publicly accessible database discovered by Fowler in March 2025 contained driver’s licences, Medicare cards, bank statements with account numbers, partial credit card numbers, and employment records dating from 2022 to 2025. At the time, the company said it had identified and resolved the vulnerability.
Industry partner Viking Asset Aggregation confirmed to Cyber Daily that it was aware of the incident and said it was working with youX to support stakeholders and manage inquiries.
Speaking with Cyber Daily, Rapid7 director of vulnerability intelligence Douglas McKee said the scale of the exposure carried broader risks beyond the platform itself.
“Sure enough, once a massive dataset is circulating online, the attack surface extends far beyond the original platform. Brokers, clients, and even partner organisations now have to assume their information may be used in highly targeted social engineering campaigns. The reality of it is that breaches like this are rarely isolated events. They tend to become force multipliers for other criminal activity,” McKee said.
The incident lands against a backdrop of tightening privacy enforcement in Australia. In October 2025, the Federal Court ordered Australian Clinical Labs to pay $5.8 million in civil penalties – the first civil penalty under the Privacy Act – following a 2022 data breach affecting 223,000 customers. The OAIC alleged serious and systemic failures that left the company vulnerable to cyberattack.
Under Australia’s current penalty framework, serious privacy breaches can attract fines of up to $50 million, three times the value of any benefit obtained through the misuse of information, or 30% of a company’s adjusted turnover in the relevant period.
Separately, under the Cyber Security Act 2024, businesses with annual turnover above $3 million are required to report any ransomware or cyber extortion payment to the Australian Signals Directorate within 72 hours of making it.
