Sydney-based fintech youX has confirmed a massive data breach exposing the personal and financial details of 444,538 Australian borrowers. An unsecured database left 141GB of data, including loan applications, driver's licences, and residential addresses, accessible for at least 10 months.
A critical pre‑authentication remote code execution flaw in BeyondTrust’s Remote Support and Privileged Remote Access allows unauthenticated attackers to run arbitrary commands on exposed appliances, enabling full system compromise and broad lateral movement.
The AI race in 2026 has shifted from "who has the smartest model" to "who can afford the power and capital to run them at scale." When Google issues century bonds and Musk eyes orbital data centres, the $700 billion question is whether anyone can sustain this pace.
Sydney-based fintech youX has confirmed a massive data breach exposing the personal and financial details of 444,538 Australian borrowers. An unsecured database left 141GB of data, including loan applications, driver's licences, and residential addresses, accessible for at least 10 months.
Cyber News Centre's cyber update for 19th February 2026: Sydney-based fintech platform youX has confirmed a catastrophic data breach, exposing the highly sensitive personal and financial information of 444,538 Australian borrowers.
youX is a Sydney-based asset finance technology company that provides a platform for thousands of finance brokers and over 90 lenders, including major Australian banks. The platform is used to manage, assess, and submit loan applications, connecting borrowers with a wide network of financial institutions.
Update: Sydney-based fintech youX has confirmed a massive data breach after a threat actor gained unauthorised access to an unsecured MongoDB Atlas cluster, exfiltrating 141GB of highly sensitive data.
The breach, which the company became aware of last week, impacts 444,538 unique Australian borrowers, with the compromised database reportedly left exposed for at least 10 months. The stolen data includes the personal and financial details of borrowers, such as income, debts, government IDs, and home addresses.
The hacker claims to have obtained 629,597 loan applications, 229,236 Australian driver's licences, and 607,822 residential addresses. The threat actor has released a preview of the data, including $3.7 billion in loan applications, and is threatening to release the full dataset in stages if a ransom is not paid. youX has notified the Office of the Australian Information Commissioner (OAIC) and is in the process of notifying affected individuals.
The company has engaged external cybersecurity experts to investigate the incident and has implemented additional security controls and enhanced monitoring across its systems. The breach also affects 797 broker organisations and over 90 downstream lenders.
Why it Matters: This breach represents a significant threat to the financial security of hundreds of thousands of Australians. The sheer volume and sensitivity of the stolen data—including driver's licences, financial details, and personal identifiers—create a perfect storm for widespread identity theft, sophisticated phishing attacks, and financial fraud.
The exposure of data from over 90 lenders, including major banks, highlights the systemic risk inherent in the interconnected financial ecosystem. For the 797 affected broker organisations, the breach is a major blow to client trust and operational integrity. The incident serves as a stark reminder of the critical importance of securing third-party platforms and the devastating consequences of long-term data exposure.
Get the stories that matter to you.
Subscribe to Cyber News Centre and update your preferences to follow our Daily 4min Cyber Update, Innovative AI Startups, The AI Diplomat series, or the main Cyber News Centre newsletter — featuring in-depth analysis on major cyber incidents, tech breakthroughs, global policy, and AI developments.
A critical pre‑authentication remote code execution flaw in BeyondTrust’s Remote Support and Privileged Remote Access allows unauthenticated attackers to run arbitrary commands on exposed appliances, enabling full system compromise and broad lateral movement.
Dutch telecom Odido confirms major cyberattack breached 6.2 million customers' personal data including names, addresses, bank account numbers details sparking serious identity theft concerns across the Netherlands
Australian firm FIIG Securities has been ordered to pay a $2.5 million penalty by the Federal Court following ASIC action over significant cybersecurity failures that led to a major data breach in 2023. The landmark case sets a new precedent for cyber resilience obligations for AFS licensees.
Victoria's largest not-for-profit private hospital group, Epworth HealthCare, has been targeted by a fake ransomware group known as 0APT. The group claims to have stolen 920GB of patient data, but evidence suggests it is a bluff designed to extort money through psychological warfare.
Where cybersecurity meets innovation, the CNC team delivers AI and tech breakthroughs for our digital future. We analyze incidents, data, and insights to keep you informed, secure, and ahead. Sign up for free!
