According to cybersecurity researcher Jeremiah Fowler, a publicly accessible Amazon S3 database, left unprotected without a password or encryption, exposed around 27,000 sensitive records
The records included copies of driver’s licenses, Medicaid cards, employment statements, and bank statements containing account numbers and partial credit card details.
Based on the database name and internal file structure, it appeared to be linked to the Australian fintech company Vroom by YouX, formerly known as Drive IQ.
Fowler says he saw an internal screenshot that showed the information of an additional MongoDB storage instance that contained 3.2 million documents.
“I did not review the MongoDB, and it is unknown for me if those files were accessible or secured, but there are numerous potential risks to exposing additional file storage locations, database names, and systems that are intended for internal use,” said Fowler
“When cybercriminals know where internal data is stored, it could possibly become an additional attack vector or backdoor deeper into a network,”
“I immediately sent a responsible disclosure notice to Vroom, and the database was restricted from public access and no longer accessible shortly after,”
“It should be noted that AWS S3 is a key-value store, and S3 is effectively considered to be a NoSQL database, which is why I reference “database” in this report,”
“Although the records belonged to Vroom by YouX, it is not known if the database was owned and managed directly by them or by a third-party contractor.” he said.
It is also not known how long the database was exposed before he discovered it or if anyone else may have gained access to it.
Following Fowlers report to Vroom, the company responded the following day, confirming that the vulnerability had been identified and resolved. In a statement, Vroom acknowledged the issue, saying:
“We’ve identified and resolved the issue causing this vulnerability, so thank you for bringing it to our attention. A post-incident review will be conducted shortly so we can determine the communication plan and process improvements required.”
Vroom was launched in June 2022 by Drive IQ Technology as an AI-powered dealership finance platform that aimed to streamline vehicle financing by instantly matching customers with participating lenders.
In 2023 the company was rebranded from Drive IQ to YouX. Dates of the breached records range from 2022 through 2025
Fowler says he saw references to Vroom and Drive IQ in a limited sample, However, he did not see any mentions of YOUx.
