1 billion identity records exposed in ID verification data leak

Things for illustration your name, location address, day of commencement and moreover your Social Security number whitethorn person been sitting connected nan unfastened internet. Researchers opportunity an unprotected database tied to IDMerit, a institution that claims to thief businesses verify identities, exposed astir 1 cardinal delicate records crossed 26 countries.

In nan United States alone, much than 203 cardinal records were near unsecured. This involves nan nonstop documents and specifications companies usage to corroborate you are really you. If criminals get that benignant of information, they'd person everything they need.

Sign up for my FREE CyberGuy Report
Get my champion tech tips, urgent information alerts and exclusive deals delivered consecutive to your inbox. Plus, you’ll get instant entree to my Ultimate Scam Survival Guide – free erstwhile you subordinate my CYBERGUY.COM newsletter.

BE AWARE OF EXTORTION SCAM EMAILS CLAIMING YOUR DATA IS STOLEN

Researchers opportunity an exposed database tied to IDMerit near astir 1 cardinal delicate personality records visible connected nan unfastened internet. (Morteza Nikoubazl/NurPhoto via Getty Images)

What you request to cognize astir nan monolithic information leak

Researchers astatine Cybernews, a cybersecurity news and investigation publication, discovered an exposed MongoDB database connected Nov. 11, 2025, that they judge belongs to IDMerit, a world personality verification supplier that serves banks, fintech firms and different financial services companies. IDMerit uses artificial intelligence devices to thief businesses execute KYC, short for Know Your Customer, which is nan personality verification process required erstwhile you unfastened financial accounts.

The database was not protected by a password. Anyone who knew wherever to look could entree it. Inside were afloat names, location addresses, postal codes, dates of birth, nationalist ID numbers, telephone numbers, email addresses and gender information. Some records besides included telecom-related metadata and soul flags that whitethorn person referenced past breaches.

The vulnerability affected group successful 26 countries. The United States had nan highest number of exposed records astatine much than 203 million. Mexico, nan Philippines, Germany, Italy and France were besides heavy impacted.

Researchers notified nan company, and nan database was secured nan pursuing day. There is presently nary nationalist grounds that criminals downloaded nan data. Still, it's worthy noting that automated bots perpetually scan nan net for exposed databases and tin transcript them wrong minutes.

YOU COULD BE SHARING YOUR SOCIAL SECURITY NUMBER WHEN YOU DON'T NEED TO

The unsecured database reportedly contained highly delicate specifications including names, location addresses, dates of commencement and nationalist ID numbers. (Silas Stein/picture confederation via Getty Images)

How it happened and why it matters for you

When you unfastened a slope account, motion up for a crypto level aliases verify your personality for a financial app, you are often asked to upload a authorities ID and supply individual details. Companies for illustration IDMerit process that accusation down nan scenes. That intends this database apt contained nan aforesaid specifications you would usage to beryllium your personality to a slope aliases authorities agency.

For criminals, that is gold. With your afloat name, day of birth, nationalist ID and telephone number, scammers tin effort SIM-swap attacks. This is erstwhile personification convinces your mobile bearer to transportation your telephone number to their device. Once they power your number, they tin intercept information codes sent by matter connection and break into your slope aliases email accounts. They tin besides motorboat highly targeted phishing scams. Imagine receiving a telephone aliases email that includes your existent location reside and ID number. It would consciousness legitimate, and that's precisely nan point.

Because nan information was neatly organized, criminals could sort it by state aliases different specifications and usage automated devices to target immense numbers of group pinch scams.

FIGURE DATA BREACH EXPOSES NEARLY 1M ACCOUNTS

Experts pass that information for illustration this tin thief criminals motorboat SIM switch attacks and highly targeted phishing scams. (Kurt "CyberGuy" Knutsson)

IDMERIT responds to information vulnerability allegations

We reached retired to IDMerit for comment, and a spokesperson for nan institution provided CyberGuy pinch nan pursuing statement:

"IDMERIT is simply a software-as-a-service institution that provides personality verification technology. We ain and run our proprietary platform, but we do not own, power aliases shop customer information aliases nan underlying information maintained by independent information sources. Our level connects to authorized information sources globally to verify individual identities connected behalf of our customers."

"On November 11, IDMERIT was made alert by an ethical hacker that definite information ports associated pinch independent information sources could person been open, which had nan imaginable to expose definite databases. Upon receiving this notification, we instantly conducted a broad reappraisal of our software, information controls, configurations and strategy logs. That reappraisal identified nary exposure, vulnerability aliases unauthorized entree wrong nan IDMERIT environment. IDMERIT's systems and information infrastructure person ne'er been compromised."

"At nan aforesaid time, we notified each applicable information root partners and worked pinch them to measure nan matter. Our partners conducted their ain soul investigations and confirmed that location has ne'er been a information breach aliases exfiltration from their systems during, earlier aliases aft this event. We requested a information incident study from nan ethical hackers arsenic proof, and nan consequence was a request for money for nan report, which confirmed our suspicion that this was a ransom-related incident."

"Based connected our soul reappraisal and confirmations from our partners, we person nary denotation that immoderate customer information has been compromised. We proceed to support robust information safeguards connected our systems and are taking these accusations very earnestly arsenic we proceed to analyse this matter successful coordination pinch our partners."

8 ways you tin protect yourself from information leaks

Before criminals person a chance to usage this accusation against you, present are applicable steps you tin return correct now to fastener things down and trim your risk.

1) Freeze your in installments reports

Contact nan awesome in installments bureaus successful your state and spot a credit freeze. This prevents criminals from opening loans aliases in installments cards successful your name. Even if personification has your nationalist ID and day of birth, lenders will not beryllium capable to entree your in installments record without your permission.

2) Stop relying connected matter connection information codes

If your slope aliases email relationship still uses SMS codes for two-factor authentication, move to an authenticator app instead. Text messages tin beryllium intercepted during SIM-swap attacks. An authenticator app generates codes straight connected your device, making it overmuch harder for criminals to break in.

3) Use a password manager

If attackers brace leaked personality information pinch passwords from older breaches, they tin effort to entree your accounts. A password head creates strong, unsocial passwords for each account, truthful 1 leak does not unlock everything else.

Check retired nan champion expert-reviewed password managers of 2026 at Cyberguy.com.

4) Consider personality theft protection

Identity theft monitoring services tin alert you if your individual accusation is utilized to unfastened accounts aliases appears connected acheronian web marketplaces. Early discovery tin mean nan quality betwixt stopping fraud quickly and discovering it months later. See my tips and champion picks connected Best Identity Theft Protection astatine Cyberguy.com

5) Watch your mobile relationship closely

Log successful to your mobile bearer relationship and alteration other information features, specified arsenic a port-out PIN if available. This adds an further furniture of protection truthful personification cannot easy move your telephone number to different SIM card.

6) Run antivirus package connected your devices

Good antivirus package tin artifact malicious links, clone login pages and spyware that whitethorn beryllium utilized successful follow-up attacks. After a ample information exposure, phishing campaigns often spike, and having protection successful spot tin extremity you from clicking into trouble. Get my picks for nan best 2026 antivirus protection winners for your Windows, Mac, Android and iOS devices astatine Cyberguy.com.

7) Consider a individual information removal service

Your individual accusation is often scattered crossed information agent sites and people-search databases that waste entree to your details. A individual information removal work tin show wherever your accusation appears online and activity to get it taken down. This reduces nan magnitude of information criminals tin find astir you successful 1 place, making it harder for them to portion together your personality and target you pinch scams aliases fraud. Check retired my apical picks for information removal services and get a free scan to find retired if your individual accusation is already retired connected nan web by visiting Cyberguy.com.

8) Be skeptical of calls that cognize excessively much

If personification contacts you and references your address, day of commencement aliases ID number, do not presume they are legitimate. Hang up and telephone nan charismatic number listed connected nan company's website. Criminals usage existent information to make clone stories sound convincing.

Kurt's cardinal takeaway

This incident exposes a larger problem. Companies that grip personality verification person go captious infrastructure for nan integer economy. When 1 of them leaves a database open, nan fallout spreads crossed countries and millions of mean group who ne'er moreover heard of nan company. You trusted a slope aliases app pinch your ID. That slope trusted a 3rd party. Somewhere successful that chain, basal information controls failed.

Should companies that grip personality verification look automatic penalties erstwhile they expose millions of people's astir delicate data? Let america cognize by penning to america astatine Cyberguy.com.

CLICK HERE TO DOWNLOAD THE FOX NEWS APP

Sign up for my FREE CyberGuy Report
Get my champion tech tips, urgent information alerts and exclusive deals delivered consecutive to your inbox. Plus, you’ll get instant entree to my Ultimate Scam Survival Guide – free erstwhile you subordinate my CYBERGUY.COM newsletter. 

Copyright 2026 CyberGuy.com. All authorities reserved.