A member of a notorious hacking platform has claimed responsibility for a hack impacting hundreds of thousands of Australians.
Australian fintech platform youX, the victim of the hack, confirmed this week it had “identified unauthorised access to its systems, by a third party” and was undertaking an investigation.
“We are now aware that a threat actor has released data that it claims to have obtained as part of its unauthorised access. As a result, we have identified that personal information may have been compromised,” youX said in a February 17 update to its disclosure statement.
“In accordance with our legal obligations, we have kept the Office of the Australian Information Commissioner (OAIC) informed throughout this matter. Now that the incident has evolved, we will continue lodging the appropriate regulatory notification. We will also be commencing the appropriate regulatory notifications to affected individuals whose information may have been compromised.”
While youX is continuing to investigate the incident and engage with stakeholders, the hacker has made some alarming claims about the data compromised by the data breach.
“Among other things,” the hacker said,” we were able to exfiltrate the personal and financial data of 444,538 unique borrowers – income, debts, government IDs, home addresses – because they trusted their finance brokers, and those brokers made the critical error of trusting youX”
The hacker claims to have accessed an unsecured MongoDB Atlas cluster with data relating to more than 90 “downstream lenders”. The full dataset, according to the hacker, contains the following:
- Financial details for 444,538 unique borrowers
- 629,597 loan applications
- 229,236 Australian driver’s licences
- 607,822 residential addresses
- As well as data belonging to 797 broker organisations, including ABNs, banking details, staff directories, and full customer portfolios
For now, the hacker has only shared a ‘preview’ of the full dataset, though this allegedly contains “$3.7 billion in loan applications across 149,349 records, submitted to 93 lenders, with 5,010 driver’s licenses, 5,955 residential histories, and 5,955 employment records”.
More than 8,000 password hashes belonging to various broker employees have also been compromised as part of the incident.
The hacker also referenced a report by white hat researcher Jeremiah Fowler, who first identified the insecure MongoDB instance in March 2025. The hacker claims that the instance was still easily accessible “ten months later”.
“We gave youX a chance,” the hacker said, and is continuing to extort the company, ahead of releasing further tranches of data “in stages over the coming weeks”.
Viking Asset Aggregation, which is involved in the breach, acknowledged the incident to Cyber Daily’s sister publication Broker Daily.
"Viking Aggregation is aware that one of our finance technology partners youX has recently experienced an IT security incident that involved unauthorised access to their systems by a third party," Viking's general manager, Simon Gwynne, told Broker Daily.
"Viking Aggregation continues to work closely with youX to actively engage with our stakeholders, supporting any enquiries and will provide updates if any additional relevant information becomes available."
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.