Thousands of Australians just got their IDs and bank details exposed

Australia’s largest online marketplace for car loans has exposed thousands of driver's licenses and partial credit card details.

Vroom by YouX, an Australia-based fintech company, has left its front doors wide open. A passwordless database with 27,000 records of sensitive user data was found online, with the leaked records ranging from 2022 through to 2025.

What data did Vroom leak?

• Driver’s licenses
• Medicaid cards
• Employment statements
• Bank statements with account numbers and partial credit card numbers

Launched in 2022, the company is located in New South Wales and specializes in car loans, matching clients with potential lenders. Users must submit identity and financial documents for the loan approval process. However, such sensitive data should always be secure and never be openly accessible to anyone online.

The data leak was first discovered by cybersecurity researcher Jeremiah Fowler, who reported his finding to Website Planet. The researcher contacted the company and access to the database was secured.

“A post-incident review will be conducted shortly so we can determine the communication plan and process improvements required,” wrote the company in a statement.

Don’t miss our latest stories on Google News

Follow us

Leaking documents are risky

While there is no evidence that cybercriminals have exploited Vroom’s user data, the exposure of such sensitive information poses substantial risks to the company’s clients.

Cybercriminals can launch phishing campaigns, targeting victims via email or phone calls, impersonating the company and prompting them to reveal even more sensitive data.

Another big problem is that partial credit card numbers have leaked. Hackers can piece together the missing digits using data from past breaches or mix them with other leaked financial information to scam people into handing over the rest.

Mitigation

“I would highly recommend that fintech companies implement additional security measures in both the applications or dashboards customers use, but also the internal storage networks where sensitive documents are stowed,” says Fowler.

The researcher reminds us that sensitive data should be end-to-end encrypted, implementing access control and multi-factor authentication (MFA).

Security audits and penetration testing are also important tools for identifying vulnerabilities or data exposures and should never be overlooked.

“I also recommend that fintech companies use data minimization policies – collect and store active data while deleting outdated records that are no longer in use,” Fowler continues.

Users of Vroom services should keep a close eye on their credit and bank accounts for any sketchy activity. If they spot anything off – fraudulent charges, weird logins, or misuse – they should report it as soon as possible to their bank and the authorities.