Vroom by YouX, the biggest car loan marketplace in Australia, has made thousands of driver’s licenses, Medicare cards, and partial credit card information public. 27,000 records were made public online due to a security breach. We will go over the breach, its dangers, and your personal safety precautions in this post.
Jeremiah Fowler, a cybersecurity researcher, found and informed Website Planet about a non-password-protected database that had 27,000 records from Vroom by YouX, a Fintech business based in Australia that helps with auto loans.
About publicly exposed Amazon S3 database
The publicly accessible Amazon S3 database was not encrypted or password protected. It included 27,000 documents, such as driver’s licenses, Medicaid cards, employment data, and bank statements that included partial credit card information and account numbers. YouX (previously Drive IQ) discovered that the database and its files belonged to the Australian fintech startup Vroom.
The types of data exposed include:
- Driver’s license
- Bank statements (including account numbers and partial credit card numbers)
- Employment statements
- Medicaid cards
Additionally, I saw an internal screenshot that showed the information of an additional MongoDB storage instance that contained 3.2 million documents. I did not review the MongoDB, and it is unknown for me if those files were accessible or secured, but there are numerous potential risks to exposing additional file storage locations, database names, and systems that are intended for internal use. When cybercriminals know where internal data is stored, it could possibly become an additional attack vector or backdoor deeper into a network.
Cybersecurity Researcher, Jeremiah Fowler
Although the records belonged to Vroom by YouX, it is not known if the database was owned and managed directly by them or by a third-party contractor. It is also not known how long the database was exposed before I discovered it or if anyone else may have gained access to it.
Risks of Exposed Personal and Financial Data
Serious issues may arise if private records such as bank transactions, driver’s licenses, Medicaid cards, and employment records are made public. These documents could be used illegally by cybercriminals as fake victims, seek for loans, or create fake accounts.
Partial credit card number leaks are another problem. Even with just the first three and final four numbers, thieves can use them in phishing scams to fool victims into disclosing the missing card information or cross-check them with other data from prior thefts. Although Vroom’s clients are not in danger of serious harm, disclosing this kind of information raises the possibility of fraud in the future.
Researcher’s Word Of Advice
I recommend that Fintech companies use data minimization policies — collect and store active data while deleting outdated records that are no longer in use. On balance, it is potentially risky to hold large amounts of sensitive records if they become a liability. Finally, active monitoring and anomaly detection systems can identify suspicious activity and respond to potential breaches before they become a critical incident.
It’s crucial to inform users when their personal information is exposed so they can take action. You should keep an eye on your documents, bank accounts, and credit for any unusual behavior if your personal information is compromised in a breach.
Scammers often use stolen data to launch phishing attacks, pretending to be from banks or other trusted services to steal more personal details. Always verify any unexpected requests for your personal or financial information and only use official channels. It’s also wise to update your passwords and enable multi-factor authentication (MFA) for added security. If you think your identity has been stolen, contact the authorities immediately.
