A significant data breach has potentially exposed the personal information of approximately one billion individuals across 26 countries. Researchers discovered an unsecured database linked to IDMerit, a company specializing in identity verification services for financial institutions. The database, which contained highly sensitive data, was secured shortly after its discovery.

Key Takeaways

• Roughly 1 billion identity records were exposed globally.

• Over 203 million U.S. records were affected.

• Data included names, addresses, dates of birth, national IDs, phone numbers, and emails.

• IDMerit disputes a breach of its own systems, attributing the exposure to independent data sources.

• Automated bots could have accessed the data before it was secured.

The Scope of the Data Exposure

Researchers from Cybernews identified an unprotected MongoDB database on November 11, 2025, believed to belong to IDMerit. This company utilizes AI to help businesses perform Know Your Customer (KYC) procedures. The exposed database contained a vast amount of sensitive personal information, including full names, home addresses, postal codes, dates of birth, national identification numbers, phone numbers, email addresses, and gender information. Some records also included telecom metadata and internal flags potentially referencing past breaches.

The United States bore the brunt of the exposure, with over 203 million records compromised. Other heavily impacted countries include Mexico, the Philippines, Germany, Italy, and France. While there is no definitive public evidence that malicious actors downloaded the data, cybersecurity experts warn that automated bots constantly scan for such vulnerabilities and could have copied the information within minutes.

Potential Risks and IDMerit's Response

Criminals obtaining this type of data could use it for various malicious activities, including SIM-swap attacks, highly targeted phishing scams, and identity theft. The organized nature of the database makes it easier for attackers to sort and target individuals.

IDMerit has issued a statement asserting that its own systems were never compromised. The company claims the exposed data originated from independent data sources and that its platform does not store customer data. Following the notification, IDMerit conducted a review and found no vulnerabilities within its environment. They also stated that their partners confirmed no data exfiltration from their systems and suggested the incident might have been a ransom-related attempt by the ethical hacker.

Protecting Yourself

In light of this incident, cybersecurity experts recommend several steps to mitigate risks:

1. Credit Freeze: Contact credit bureaus to place a freeze on your credit reports.

2. Two-Factor Authentication: Switch from SMS-based codes to authenticator apps for sensitive accounts.

3. Password Management: Use a password manager to create strong, unique passwords for all online accounts.

4. Identity Theft Monitoring: Utilize services that alert you to suspicious activity or your information appearing on the dark web.

5. Mobile Security: Enable additional security features on your mobile carrier account, such as a port-out PIN.

6. Antivirus Software: Ensure your devices are protected with reputable antivirus software.

7. Data Removal Services: Consider services that help remove your personal information from data broker sites.

8. Skepticism: Be wary of unsolicited communications that reference your personal details; verify through official channels.

This incident highlights the critical role of third-party vendors in data security and the potential widespread impact when basic security controls fail.

Sources

• 1 billion identity records exposed in ID verification data leak, AOL.com.

• IDMerit Data Leak Exposes 1 Billion Identity Records — Are You at Risk?, International Business Times.

• 1 billion identity records exposed in ID verification data leak, Kurt the CyberGuy.

• IDMerit exposes 1 billion identity records in unprotected database, Fox News.

• IDMerit disputes report of 1B records exposed in unsecured ID verification database, Biometric Update.