What Happened
In February 2026, Australian fintech company youX (youxpowered.com.au), a Sydney-based B2B asset-finance platform formerly known as Drive IQ, suffered a significant data breach when a threat actor—possibly FulcrumSec—exploited misconfigured security on its MongoDB Atlas cloud database, lacking IP whitelisting, multi-factor authentication, and rotated credentials, leading to the exfiltration of 141GB of data plus 16GB from prodApply. The incident was first detected around February 14-15, publicly reported on February 15 via dark web previews, and confirmed by youX on February 18 after a sample was posted on hacking forums on February 19, affecting approximately 444,000-444,538 unique borrowers across 797 broker organizations and 90+ lenders. Exposed data included over 629,000 loan applications, 200,000+ driver’s license numbers and scans, names, dates of birth, government IDs, email addresses, phone numbers, residential addresses (607,822), bank statements, income/expense details, employer information, private SMS conversations, and metadata like IP addresses, but no payment card numbers or passwords. youX responded by disabling the database, notifying the Australian Cyber Security Centre (ACSC) and Office of the Australian Information Commissioner (OAIC), engaging forensics experts, securing a court injunction, and advising customers to monitor accounts and replace compromised IDs amid risks of identity theft, phishing, and fraud; investigations continue with potential Privacy Act violations.
