A massive data breach involving IDMerit, a California-based identity verification company, has exposed over one billion personal records belonging to citizens of 26 countries, according to an investigation published by the cybersecurity research team at Cybernews. The researchers discovered an unsecured MongoDB database containing approximately one terabyte of sensitive Know Your Customer data that had been left accessible on the internet without any password protection, making it freely available to anyone with an internet connection.
The exposed records include full names, dates of birth, national identification numbers, physical addresses, postal codes, phone numbers, email addresses, gender information, telecom metadata, and social profile annotations. The United States was the most affected nation with approximately 203 million records exposed, followed by Mexico with 124 million, the Philippines with 72 million, Germany with 61 million, and both Italy and France with 53 million records each. Citizens of 20 additional countries, including China and Brazil, were also impacted by the breach.
IDMerit provides API-based identity verification and fraud prevention services to banks, fintech companies, and other businesses that are required by law to verify the identities of their customers through KYC compliance procedures. The company operates with a relatively small workforce of roughly 25 to 50 employees, yet handles verification data for a vast number of individuals worldwide. Cybersecurity experts have described the structured nature of the exposed data as a goldmine for criminals, noting that the combination of national identification numbers, birthdates, and full personal profiles creates ideal conditions for identity theft, credit fraud, SIM swapping attacks, and sophisticated phishing campaigns.
The Cybernews research team discovered the unprotected database on November 11, 2025, and immediately notified IDMerit. The company secured the exposed instance the following day, on November 12. However, it remains unclear how long the database had been publicly accessible before its discovery, raising serious concerns about whether malicious actors may have already accessed and copied the data. IDMerit has not publicly disclosed detailed information about the incident or clarified whether affected individuals and regulatory authorities have been formally notified.
The breach has reignited debate about the security practices of KYC providers, which have become critical infrastructure in the global financial system. Governments and regulators worldwide require banks, cryptocurrency exchanges, and digital platforms to verify user identities, effectively funneling vast quantities of sensitive personal data into third-party verification companies. Critics argue that these providers are not subject to sufficient regulatory oversight or mandatory security audits, despite holding some of the most sensitive data imaginable. The incident has drawn particular attention in France, where 53 million identity records were exposed at a time when lawmakers are debating proposals to require identity verification for access to social media platforms.
Cybersecurity analysts have warned that the consequences of this breach could unfold over years, as stolen identity data retains its value long after the initial exposure. National identification numbers and birthdates cannot be changed like passwords, meaning affected individuals face a prolonged risk of identity fraud. Experts have urged anyone who has used services verified through IDMerit to monitor their financial accounts closely, enable two-factor authentication wherever possible, and remain vigilant against targeted phishing attempts that may leverage the leaked personal information.
Comments