Speaking with Cyber Daily, Rapid7 Director of Vulnerability Intelligence Douglas McKee said that the data being exposed is not the main concern, but the type of data and where it was found, as this could lead to further impacts down the line.
“When you look at what happened with YouX, the headline is not just that data was exposed, it is the type of data and the ecosystem it sits in. We are talking about client and broker information in a fintech platform that brokers use as part of their daily workflow. In financial services, platforms like this become aggregation points,” he said.
“They centralise identity documents, contact details, financial context, and sometimes authentication artifacts. That makes them incredibly attractive to threat actors because one compromise can yield a dataset that is immediately monetisable for fraud, phishing, and downstream account takeover.
“Sure enough, once a massive dataset is circulating online, the attack surface extends far beyond the original platform. Brokers, clients, and even partner organisations now have to assume their information may be used in highly targeted social engineering campaigns. The reality of it is that breaches like this are rarely isolated events. They tend to become force multipliers for other criminal activity.”
According to the threat actor, who posted the data to a hacking forum, they claim to have stolen the personal and financial data of 444,538 borrowers after allegedly accessing an unsecured MongoDB Atlas cluster, which contained data relating to over 90 “downstream lenders.” According to the hacker, the full dataset contains:
-
Financial details for 444,538 unique borrowers.
-
Details of 629,597 loan applications.
-
Copies of 229,236 Australian driver’s licences.
-
A total of 607,822 residential addresses.
-
As well as data belonging to 797 broker organisations, including ABNs, banking details, staff directories, and full customer portfolios.
While the entire database is not public, the hacker posted a “preview” sample that allegedly contains “$3.7 billion in loan applications across 149,349 records, submitted to 93 lenders, with 5,010 driver’s licenses, 5,955 residential histories, and 5,955 employment records”.
Over 8,000 password hashes belonging to various broker employees were also compromised.
“What concerns me most is not just the initial intrusion but the secondary and tertiary impacts. Once threat actors demonstrate they can access and publish large volumes of data, copycat activity and credential stuffing campaigns often follow,” added McKee.
“I have spent a lot of time looking at how attackers chain seemingly small exposures into larger fraud operations, and this is exactly the kind of dataset that enables that. Even if core financial systems were not directly manipulated, the reputational and trust impact can be significant in a broker driven market. This becomes extremely important because trust is the currency in financial services.”
What have youX said?
youX, confirmed this week that it had “identified unauthorised access to its systems, by a third party” and was undertaking an investigation.
“We are now aware that a threat actor has released data that it claims to have obtained as part of its unauthorised access. As a result, we have identified that personal information may have been compromised,” youX said in a 17 February update to its disclosure statement.
“In accordance with our legal obligations, we have kept the Office of the Australian Information Commissioner (OAIC) informed throughout this matter. Now that the incident has evolved, we will continue lodging the appropriate regulatory notification. We will also be commencing the appropriate regulatory notifications to affected individuals whose information may have been compromised.”
However, the hacker also referenced a report by white hat researcher Jeremiah Fowler, who first identified the insecure MongoDB instance in March 2025. The hacker claims that the instance was still easily accessible “10 months later”.
“We gave youX a chance,” the hacker said, continuing to extort the company, ahead of releasing further tranches of data “in stages over the coming weeks”.
However, based on reports, when Fowler notified youX of the vulnerability, the firm said that they had fixed it.
Viking Asset Aggregation, which is involved in the breach, acknowledged the incident to Cyber Daily’s sister brand, Broker Daily.
“Viking Asset Aggregation is aware that one of our finance technology partners, youX, has recently experienced an IT security incident that involved unauthorised access to their systems by a third party,” Viking Asset’s general manager, Simon Gwynne, told Broker Daily.
“Viking Asset Aggregation continues to work closely with youX to actively engage with our stakeholders, supporting any enquiries and will provide updates if any additional relevant information becomes available.”
Daniel Croft