1 billion identity records exposed in ID verification data leak

1.6K

 

Things like your name, home address, date of birth, and even your social security number may have been sitting on the open internet. Researchers say an unprotected database tied to IDMerit, a company that claims to help businesses verify identities, exposed roughly one billion sensitive records across 26 countries. In the United States alone, more than 203 million records were left unsecured. This involves the exact documents and details companies use to confirm you are really you. If criminals get that kind of information, they’d have everything they need.

 

 

 

What you need to know about the massive data leak

Researchers at Cybernews, a cybersecurity news and research publication, discovered an exposed MongoDB database on November 11, 2025, that they believe belongs to IDMerit, a global identity verification provider that serves banks, fintech firms, and other financial services companies. IDMerit uses artificial intelligence tools to help businesses perform KYC, short for Know Your Customer, which is the identity verification process required when you open financial accounts.

The database was not protected by a password. Anyone who knew where to look could access it. Inside were full names, home addresses, postal codes, dates of birth, national ID numbers, phone numbers, email addresses, and gender information. Some records also included telecom-related metadata and internal flags that may have referenced past breaches.

The exposure affected people in 26 countries. The United States had the highest number of exposed records at more than 203 million. Mexico, the Philippines, Germany, Italy, and France were also heavily impacted.

Researchers notified the company, and the database was secured the following day. There is currently no public evidence that criminals downloaded the data. Still, it’s worth noting that automated bots constantly scan the internet for exposed databases and can copy them within minutes.

 

How it happened and why it matters to you

When you open a bank account, sign up for a crypto platform, or verify your identity for a financial app, you are often asked to upload a government ID and provide personal details. Companies like IDMerit process that information behind the scenes. That means this database likely contained the same details you would use to prove your identity to a bank or government agency.

For criminals, that is gold. With your full name, date of birth, national ID, and phone number, scammers can attempt SIM swap attacks. This is when someone convinces your mobile carrier to transfer your phone number to their device. Once they control your number, they can intercept security codes sent by text message and break into your bank or email accounts. They can also launch highly targeted phishing scams. Imagine receiving a call or email that includes your real home address and ID number. It would feel legitimate, and that’s exactly the point.

Because the data was neatly organized, criminals could sort it by country or other details and use automated tools to target huge numbers of people with scams.

 

IDMERIT responds to data exposure allegations

We reached out to IDMerit for comment, and a spokesperson for the company provided CyberGuy with the following statement,

“IDMERIT is a software-as-a-service company that provides identity verification technology. We own and operate our proprietary platform, but we do not own, control or store customer data or the underlying data maintained by independent data sources. Our platform connects to authorized data sources globally to verify individual identities on behalf of our customers.

On November 11, IDMERIT was made aware by an ethical hacker that certain data ports associated with independent data sources could have been open, which had the potential to expose certain databases. Upon receiving this notification, we immediately conducted a comprehensive review of our software, security controls, configurations and system logs. That review identified no exposure, vulnerability or unauthorized access within the IDMERIT environment. IDMERIT’s systems and security infrastructure have never been compromised.

At the same time, we notified all relevant data source partners and worked with them to assess the matter. Our partners conducted their own internal investigations and confirmed that there has never been a data breach or exfiltration from their systems during, before or after this event. We requested a security incident report from the ethical hackers as proof, and the response was a demand for money for the report, which confirmed our suspicion that this was a ransom-related incident.

Based on our internal review and confirmations from our partners, we have no indication that any customer data has been compromised. We continue to maintain robust security safeguards on our systems and are taking these accusations very seriously as we continue to investigate this matter in coordination with our partners.”

 

 

8 ways you can protect yourself from data leaks

Before criminals have a chance to use this information against you, here are practical steps you can take right now to lock things down and reduce your risk.

 

1) Freeze your credit reports

Contact the major credit bureaus in your country and place a credit freeze. This prevents criminals from opening loans or credit cards in your name. Even if someone has your national ID and date of birth, lenders will not be able to access your credit file without your permission.

 

2) Stop relying on text message security codes

If your bank or email account still uses SMS codes for two-factor authentication, switch to an authenticator app instead. Text messages can be intercepted during SIM swap attacks. An authenticator app generates codes directly on your device, making it much harder for criminals to break in.

 

3) Consider a personal data removal service

Your personal information is often scattered across data broker sites and people-search databases that sell access to your details. A personal data removal service like Incogni can monitor where your information appears online and work to get it taken down. This reduces the amount of data criminals can find about you in one place, making it harder for them to piece together your identity and target you with scams or fraud.

 

Is your personal information exposed online?

Run a free scan to see if your personal info is compromised. Results arrive by email in about an hour.

 

4) Consider identity theft protection

Identity theft monitoring services such as Aura can alert you if your personal information is used to open accounts or appears on dark web marketplaces. Early detection can mean the difference between stopping fraud quickly and discovering it months later.

 

4) Use a password manager

If attackers pair leaked identity data with passwords from older breaches, they can try to access your accounts. A password manager like Nordpass creates strong, unique passwords for every account, so one leak does not unlock everything else.

 

6) Watch your mobile account closely

Log in to your mobile carrier account and enable extra security features, such as a port-out PIN if available. This adds an additional layer of protection so someone cannot easily move your phone number to another SIM card.

 

7) Run antivirus software on your devices

Strong antivirus software such as TotalAV can block malicious links, fake login pages, and spyware that may be used in follow-up attacks. After a large data exposure, phishing campaigns often spike, and having protection in place can stop you from clicking into trouble.

 

8) Be skeptical of calls that know too much

If someone contacts you and references your address, date of birth, or ID number, do not assume they are legitimate. Hang up and call the official number listed on the company’s website. Criminals use real data to make fake stories sound convincing.

 

 

Related Links: 

• SoundCloud data breach exposes 29.8 million user accounts
• Millions of AI chat messages exposed in app data leak
• Thousands of iPhone apps expose data inside Apple’s App Store

 

 

Kurt’s key takeaway

This incident exposes a larger problem. Companies that handle identity verification have become critical infrastructure for the digital economy. When one of them leaves a database open, the fallout spreads across countries and millions of ordinary people who never even heard of the company. You trusted a bank or app with your ID. That bank trusted a third party. Somewhere in that chain, basic security controls failed.

Should companies that handle identity verification face automatic penalties when they expose millions of people’s most sensitive data? Let me know in the comments below. 

FOR MORE OF MY TECH TIPS & SECURITY ALERTS, SUBSCRIBE TO MY FREE CYBERGUY REPORT NEWSLETTER HERE

 

 

Copyright 2026 CyberGuy.com. All rights reserved. CyberGuy.com articles and content may contain affiliate links that earn a commission when purchases are made.