Things like your name, home address, date of birth and even your Social Security number may have been sitting on the open internet. Researchers say an unprotected database tied to IDMerit, a company that claims to help businesses verify identities, exposed roughly 1 billion sensitive records across 26 countries.
In the United States alone, more than 203 million records were left unsecured. This involves the exact documents and details companies use to confirm you are really you. If criminals get that kind of information, they'd have everything they need.
Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM newsletter.
Be Aware Of Extortion Scam Emails Claiming Your Data Is Stolen
Researchers say an exposed database tied to IDMerit left roughly 1 billion sensitive identity records visible on the open internet.
(Getty Images)Researchers at Cybernews, a cybersecurity news and research publication, discovered an exposed MongoDB database on Nov. 11, 2025, that they believe belongs to IDMerit, a global identity verification provider that serves banks, fintech firms and other financial services companies. IDMerit uses artificial intelligence tools to help businesses perform KYC, short for Know Your Customer, which is the identity verification process required when you open financial accounts.
The database was not protected by a password. Anyone who knew where to look could access it. Inside were full names, home addresses, postal codes, dates of birth, national ID numbers, phone numbers, email addresses and gender information. Some records also included telecom-related metadata and internal flags that may have referenced past breaches.
The exposure affected people in 26 countries. The United States had the highest number of exposed records at more than 203 million. Mexico, the Philippines, Germany, Italy and France were also heavily impacted.
Researchers notified the company, and the database was secured the following day. There is currently no public evidence that criminals downloaded the data. Still, it's worth noting that automated bots constantly scan the internet for exposed databases and can copy them within minutes.
You Could Be Sharing Your Social Security Number When You Don't Need To
The unsecured database reportedly contained highly sensitive details including names, home addresses, dates of birth and national ID numbers.
When you open a bank account, sign up for a crypto platform or verify your identity for a financial app, you are often asked to upload a government ID and provide personal details. Companies like IDMerit process that information behind the scenes. That means this database likely contained the same details you would use to prove your identity to a bank or government agency.
For criminals, that is gold. With your full name, date of birth, national ID and phone number, scammers can attempt SIM-swap attacks. This is when someone convinces your mobile carrier to transfer your phone number to their device. Once they control your number, they can intercept security codes sent by text message and break into your bank or email accounts. They can also launch highly targeted phishing scams. Imagine receiving a call or email that includes your real home address and ID number. It would feel legitimate, and that's exactly the point.
Because the data was neatly organized, criminals could sort it by country or other details and use automated tools to target huge numbers of people with scams.
Figure Data Breach Exposes Nearly 1M Accounts
Experts warn that data like this can help criminals launch SIM swap attacks and highly targeted phishing scams.
We reached out to IDMerit for comment, and a spokesperson for the company provided CyberGuy with the following statement:
"IDMERIT is a software-as-a-service company that provides identity verification technology. We own and operate our proprietary platform, but we do not own, control or store customer data or the underlying data maintained by independent data sources. Our platform connects to authorized data sources globally to verify individual identities on behalf of our customers."
"On November 11, IDMERIT was made aware by an ethical hacker that certain data ports associated with independent data sources could have been open, which had the potential to expose certain databases. Upon receiving this notification, we immediately conducted a comprehensive review of our software, security controls, configurations and system logs. That review identified no exposure, vulnerability or unauthorized access within the IDMERIT environment. IDMERIT's systems and security infrastructure have never been compromised."
"At the same time, we notified all relevant data source partners and worked with them to assess the matter. Our partners conducted their own internal investigations and confirmed that there has never been a data breach or exfiltration from their systems during, before or after this event. We requested a security incident report from the ethical hackers as proof, and the response was a demand for money for the report, which confirmed our suspicion that this was a ransom-related incident."
"Based on our internal review and confirmations from our partners, we have no indication that any customer data has been compromised. We continue to maintain robust security safeguards on our systems and are taking these accusations very seriously as we continue to investigate this matter in coordination with our partners."
Before criminals have a chance to use this information against you, here are practical steps you can take right now to lock things down and reduce your risk.
Contact the major credit bureaus in your country and place a credit freeze. This prevents criminals from opening loans or credit cards in your name. Even if someone has your national ID and date of birth, lenders will not be able to access your credit file without your permission.
If your bank or email account still uses SMS codes for two-factor authentication, switch to an authenticator app instead. Text messages can be intercepted during SIM-swap attacks. An authenticator app generates codes directly on your device, making it much harder for criminals to break in.
If attackers pair leaked identity data with passwords from older breaches, they can try to access your accounts. A password manager creates strong, unique passwords for every account, so one leak does not unlock everything else.
Check out the best expert-reviewed password managers of 2026 at Cyberguy.com.
Identity theft monitoring services can alert you if your personal information is used to open accounts or appears on dark web marketplaces. Early detection can mean the difference between stopping fraud quickly and discovering it months later. See my tips and best picks on Best Identity Theft Protection at Cyberguy.com
Log in to your mobile carrier account and enable extra security features, such as a port-out PIN if available. This adds an additional layer of protection so someone cannot easily move your phone number to another SIM card.
Good antivirus software can block malicious links, fake login pages and spyware that may be used in follow-up attacks. After a large data exposure, phishing campaigns often spike, and having protection in place can stop you from clicking into trouble. Get my picks for the best 2026 antivirus protection winners for your Windows, Mac, Android and iOS devices at Cyberguy.com.
Your personal information is often scattered across data broker sites and people-search databases that sell access to your details. A personal data removal service can monitor where your information appears online and work to get it taken down. This reduces the amount of data criminals can find about you in one place, making it harder for them to piece together your identity and target you with scams or fraud. Check out my top picks for data removal services and get a free scan to find out if your personal information is already out on the web by visiting Cyberguy.com.
If someone contacts you and references your address, date of birth or ID number, do not assume they are legitimate. Hang up and call the official number listed on the company's website. Criminals use real data to make fake stories sound convincing.
This incident exposes a larger problem. Companies that handle identity verification have become critical infrastructure for the digital economy. When one of them leaves a database open, the fallout spreads across countries and millions of ordinary people who never even heard of the company. You trusted a bank or app with your ID. That bank trusted a third party. Somewhere in that chain, basic security controls failed.
Should companies that handle identity verification face automatic penalties when they expose millions of people's most sensitive data? Let us know by writing to us at Cyberguy.com.
Click Here To Download The Fox News App
Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM newsletter.
Copyright 2026 CyberGuy.com. All rights reserved.
Original article source: 1 billion identity records exposed in ID verification data leak