A major cybersecurity incident at Sydney-based asset finance technology company youX has exposed the personal and financial records of 444,538 Australian borrowers, with a threat actor claiming to have exfiltrated 141 gigabytes of data from an unsecured cloud database.

The company confirmed unauthorised access to its systems on 17 February 2026, advising the Office of the Australian Information Commissioner (OAIC) and the Australian Cyber Security Centre (ACSC) of the evolving incident.

The stolen dataset allegedly includes 629,597 loan applications, 229,236 Australian driver's licences, 607,822 residential addresses, and detailed financial records including income, debts, and government identification. More than 8,000 password hashes belonging to broker employees are also reported to have been compromised.

The hacker claims data was exfiltrated from an unsecured MongoDB Atlas cluster connected to more than 90 downstream lenders and 797 broker organisations. A preview of the dataset, said to contain $3.7 billion in loan application records, has already been publicly released. The threat actor is demanding a ransom, threatening to release the full dataset in stages.

youX — formerly known as Drive IQ — is a B2B asset finance technology platform operating at the intersection of automotive retail and financial services. The company's platform is used by more than 11,500 dealer and broker users and over 80 accredited lenders to manage, assess, and submit loan applications. It facilitates $7.4 billion in finance opportunities annually.

The company markets itself as a trusted partner to Australia's automotive finance ecosystem, connecting car dealerships, finance brokers, and lenders through a suite of products including loan origination, deal management, and compliance lodgement tools.

Brandsafe Promise Now Under Scrutiny

The breach sits in sharp contrast to youX's published marketing commitments. The company's FAQ prominently features what it calls a "Brandsafe Partner Promise," describing data security as a "core youX value" and its "closed loop" partner model as foundational to how it operates.

"Inspiring our 11,500+ dealer and broker users, along with 80+ accredited lenders to trust us with $7.4 billion of finance opportunities every single year," the FAQ states. The same page promises partners that "your client list will safely stay your own. No unsolicited contact, ever."

Whether that promise extends to adequate protection of borrower data is now the subject of regulatory scrutiny.

Cybersecurity researcher Jeremiah Fowler reportedly identified and disclosed the insecure MongoDB database to youX as early as March 2025. youX indicated at the time that the vulnerability had been remediated. The hacker, however, claims the system remained accessible for approximately 10 months — until the data was exfiltrated.

"We gave youX a chance," the threat actor stated in communications accompanying the data release.

Rapid7 Director of Vulnerability Intelligence Douglas McKee told Cyber Daily the breach's significance extended beyond the exposed data itself. "When you look at what happened with youX, the headline is not just that data was exposed, it is the type of data and the ecosystem it sits in," McKee said. "In financial services, platforms like this become aggregation points."

ASX-Listed Client Reacts

ASX-listed Motorcycle Holdings Limited (ASX: MTO) lodged a formal announcement with the Australian Securities Exchange on 18 February 2026 disclosing its exposure to the youX incident. The announcement signals the breach is creating downstream disclosure obligations for publicly listed companies with connections to the platform.

Viking Asset Aggregation, another industry partner, also confirmed its awareness of the incident. General Manager Simon Gwynne said the organisation was "working closely with youX to actively engage with our stakeholders" and would provide updates as additional information became available.

youX said it has implemented additional security controls and enhanced monitoring across its systems, and is undertaking further "security uplift initiatives." The company said it is cooperating with regulatory authorities and will commence direct notification to affected individuals.

"Protecting personal information and maintaining trust remain our highest priorities," the company stated in its 17 February update. "We regret that this incident has occurred and recognise the importance of transparency."

As at the time of publication, the company's most recent update on 18 February stated there had been no further developments since the previous day's disclosure.

Affected individuals are advised to monitor financial accounts for unusual activity, change passwords, enable multi-factor authentication on all accounts, and remain alert to phishing attempts via email, SMS, or phone.

youX can be contacted for support at privacy@youxpowered.com.au, and has published an incident information page at youxpowered.com.au/cyber-incident.