Cybersecurity analyst Jeremiah Fowler has discovered an unprotected Amazon S3 database that wasn’t encrypted or password protected and contained some 27,000 records. The records included highly personal information such as driver’s licenses, Medicaid cards, work statements, and bank statements that held account numbers and partial credit card numbers.
The name of the database and the internal files names suggest that the database was owned by Australian fintech company Vroom by YouX (formerly Drive IQ).
In addition, Fowler discovered an internal screenshot that showed another instance of MongoDB storage with 3.2 million documents. However, he did not examine its content and could not determine whether such files existed or were securely locked. He emphasized the risks of exposing internal file storage locations, database names, and internal-use systems. “When cybercriminals know where internal data resides, it can become another attack vector or backdoor deeper into a network,” Fowler said.
After realizing the leak, Fowler forwarded a prompt responsible disclosure notice to Vroom. The database was afterwards quickly secured out of public view. He noted that AWS S3 is a NoSQL repository that happens to be used like a NoSQL database, thus he called it a “database” while disclosing it.
Even though the records belonged to Vroom by YouX, it is not known whether the database was managed directly by them or a third-party vendor. The duration of the exposure is also not known, and only an internal forensic audit could determine whether unauthorized access had taken place.
Fowler received a response the next day stating: “We’ve identified and resolved the issue causing this vulnerability so thank you for bringing it to our attention. A post incident review will be conducted shortly so we can determine the communication plan and process improvements require.”
The Role of Vroom by YouX
Vroom was launched in June 2022 by Drive IQ Technology as an AI-powered dealership finance platform designed to streamline vehicle financing by instantly matching customers with participating lenders. In 2023, the company rebranded from Drive IQ to YouX. The exposed records ranged from 2022 through 2025. Fowler noted references to both Vroom and Drive IQ in a limited sample but did not see any explicit mentions of YouX.
A startup news website previously described Vroom’s service as: “Vroom reviews customer identification information, multi-bureau credit information, vehicle details, and uses an AI matching algorithm to serve customers with pre-approved finance offers from lenders.” According to the Drive IQ website, the company claims to be Australia’s largest online marketplace for car loans.
Risks of Data Exposure
Fowler stressed that identity documents are a necessary part of the financing approval process but should never be publicly accessible. Although the database contained images of users’ documents, he did not observe any proprietary coding or development records regarding Vroom’s technology, as those appeared to be stored elsewhere.
“Any data exposure that contains images of identification and financial documents poses serious potential risks,” Fowler stated. Such documents, including driver’s licenses, Medicaid cards, bank statements, and employment records, could be exploited for fraudulent activities, such as targeted social engineering attacks, fraudulent account creation, loan applications, or even identity theft.
One major concern was the exposure of partial credit card numbers. Fowler noted that the first three and last four digits of several credit cards were visible in .json files. “When criminals have partial card numbers, they may be able to cross-reference previous breaches to find the missing numbers or use them for targeted phishing scams,” he warned. He clarified that this did not mean Vroom’s customers were at immediate risk but emphasized the real-world dangers of such exposures.
A 2024 study by cybersecurity firm Sophos found that the financial industry is a prime target for bad actors, with nearly two-thirds (65%) of entities falling victim to ransomware attacks. “As financial technology expands and fundamentally changes how consumers manage money or obtain financing, cybersecurity must also evolve to meet the risks and threats the industry faces today and tomorrow,” Fowler said.
Recommendations for Fintech Security
Fowler urged fintech companies to adopt stronger security measures for customer-facing apps and internal storage networks. He recommended implementing end-to-end encryption, access controls, and multi-factor authentication (MFA) for customers, users, and employees alike. Additionally, regular security audits and penetration testing should be conducted to identify vulnerabilities before they become serious threats.
To mitigate risk, Fowler also suggested data minimization policies—retaining only necessary data and deleting outdated records to reduce liability. “On balance, it is potentially risky to hold large amounts of sensitive records if they become a liability,” he explained, also recomending active monitoring and anomaly detection systems to identify and respond to suspicious activity before a breach escalates.
Transparency is also key in data security incidents. Fowler highlighted the importance of notifying affected users when personal information has been exposed. “Customers who may have had their PII exposed in a data breach should monitor their credit profiles, financial accounts, and identities for potential misuse or unauthorized activity. In the unfortunate event that customers do identify suspicious transactions or misuse, they should report them immediately to the authorities and their financial institution. The most important thing is to remain vigilant — understand the risks and know what to look for to catch any unauthorized activity as early as possible.”
Ethical Considerations and Disclosure
Fowler stressed that his report does not imply any wrongdoing by Vroom, Drive IQ, YouX, or any affiliates, and that he wasn’t claming that internal or customer data was at imminent risk. “The hypothetical data-risk scenarios I have presented in this report are strictly and exclusively for educational purposes and do not reflect, suggest, or imply any actual compromise of data integrity. It should not be construed as a reflection of or commentary on any organization’s specific practices, systems, or security measures,” he noted.
As an ethical security researcher, Fowler follows strict protocols, says he does download the data he discovers, taking only a limited number of screenshots for verification purposes. His sole actions are identifying vulnerabilities and notifying the relevant parties, aiming to raise awareness and encourage organizations to improve their cybersecurity practices.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.