1 Billion Identity Records Exposed in Identity Verification Data Breach

Things like your name, address, date of birth, and even your Social Security number may have been on the open Internet. Researchers say an unprotected database linked to IDMerit, a company that claims to help companies verify identities, exposed approximately 1 billion sensitive records in 26 countries.

In the United States alone, more than 203 million records were left unprotected. This involves the exact documents and details that companies use to confirm that you are really you. If criminals get that kind of information, they would have everything they need.

Sign up to receive my FREE CyberGuy report
Get my best tech tips, urgent security alerts, and exclusive offers delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams, free when you join me CYBERGUY.COM information sheet.

BE AWARE OF EMAILS FROM EXTORTION SCAMS CLAIMING YOUR DATA IS STOLEN

What you need to know about the massive data leak

Researchers at Cybernews, a cybersecurity news and investigative publication, discovered an exposed MongoDB database on November 11, 2025, which they believe belongs to IDMerit, a global identity verification provider serving banks, fintech companies, and other financial services companies. IDMerit uses artificial intelligence tools to help businesses perform KYC, short for Know Your Customer, which is the identity verification process required when opening financial accounts.

The database was not password protected. Anyone who knew where to look could access it. Inside were full names, addresses, zip codes, dates of birth, national identification numbers, phone numbers, email addresses and gender information. Some records also included metadata related to telecommunications and internal indicators that may have referenced past violations.

The exposure affected people in 26 countries. The United States had the largest number of exposed records with more than 203 million. Mexico, the Philippines, Germany, Italy and France were also hit hard.

The researchers notified the company and the database was secured the next day. There is currently no public evidence that criminals downloaded the data. Still, it’s worth noting that automated bots constantly scan the Internet for exposed databases and can copy them in a matter of minutes.

YOU MAY SHARE YOUR SOCIAL SECURITY NUMBER WHEN YOU DO NOT NEED IT

How it happened and why it is important to you

When you open a bank account, sign up for a crypto platform, or verify your identity for a financial app, you’re often asked to upload a government ID and provide personal data. Companies like IDMerit process that information behind the scenes. That means this database likely contained the same details you would use to prove your identity to a bank or government agency.

For criminals, that’s gold. Using your full name, date of birth, national ID and phone number, scammers can attempt SIM swapping attacks. This is when someone convinces their mobile carrier to port their phone number to their device. Once they control your number, they can intercept security codes sent via text message and break into your bank or email accounts. They can also launch very specific phishing scams. Imagine receiving a call or email that includes your real home address and ID number. It would be legit, and that’s exactly the point.

Because the data was neatly organized, criminals could sort it by country or other details and use automated tools to target large numbers of people with scams.

FIGURES DATA BREACH EXPOSES NEARLY 1 MILLION ACCOUNTS

IDMERIT responds to data exposure allegations

We reached out to IDMerit for comment and a company spokesperson provided CyberGuy with the following statement:

“IDMERIT is a software-as-a-service company that provides identity verification technology. We own and operate our proprietary platform, but we do not own, control, or store customer data or the underlying data maintained by independent data sources. Our platform connects to globally authoritative data sources to verify individual identities on behalf of our customers.”

“On November 11, an ethical hacker reported to IDMERIT that certain data ports associated with independent data sources may have been open, which had the potential to expose certain databases. Upon receiving this notification, we immediately conducted a thorough review of our software, security controls, configurations, and system logs. That review identified no exposure, vulnerability, or unauthorized access within IDMERIT’s environment. IDMERIT’s systems and security infrastructure have never been compromised.”

“At the same time, we notified all partners of relevant data sources and worked with them to evaluate the matter. Our partners conducted their own internal investigations and confirmed that there has never been a breach or exfiltration of data from their systems during, before or after this event. We requested a security incident report from ethical hackers as proof, and the response was a demand for money for the report, which confirmed our suspicion that this was a ransom-related incident.”

“Based on our internal review and confirmations from our partners, we have no indication that customer data has been compromised. We continue to maintain strong security safeguards on our systems and are taking these allegations very seriously as we continue to investigate this matter in coordination with our partners.”

8 ways you can protect yourself from data leaks

Before criminals have the chance to use this information against you, here are some practical steps you can take right now to block everything and reduce your risk.

1) Freeze your credit reports

Contact the major credit agencies in your country and freeze your credit. This prevents criminals from opening loans or credit cards in your name. Even if someone has your national ID and date of birth, lenders will not be able to access your credit file without your permission.

2) Stop Relying on Text Message Security Codes

If your bank or email account still uses SMS codes for two-factor authentication, switch to an authenticator app. Text messages can be intercepted during SIM swapping attacks. An authenticator app generates codes directly on your device, making it much harder for criminals to break in.

3) Use a password manager

If attackers combine leaked identity data with passwords from previous breaches, they can try to access your accounts. A password manager creates unique, secure passwords for each account, so one breach doesn’t unlock everything else.

Check out the best expert-reviewed password managers of 2026 at Cyberguy.com.

4) Consider identity theft protection

Identity theft monitoring services can alert you if your personal information is used to open accounts or appears on dark web marketplaces. Early detection can make the difference between stopping fraud quickly and discovering it months later. See my tips and top picks for the best identity theft protection at Cyberguy.com

5) Keep a close eye on your mobile account

Sign in to your mobile carrier account and enable additional security features, such as a rollover PIN, if available. This adds an extra layer of protection so that someone can’t easily transfer your phone number to another SIM card.

6) Run antivirus software on your devices

Good antivirus software can block malicious links, fake login pages, and spyware that can be used in subsequent attacks. After a large data exposure, phishing campaigns often increase, and having protection in place can keep you out of trouble. Get my picks for the best antivirus protection winners of 2026 for your Windows, Mac, Android, and iOS devices at Cyberguy.com.

7) Consider a personal data deletion service

Your personal information is often scattered across data broker sites and search databases of people selling access to your data. A personal data removal service can monitor where your information appears online and work to remove it. This reduces the amount of data criminals can find about you in one place, making it difficult for them to piece together your identity and target you with scams or fraud. Check out my top picks for data removal services and get a free scan to find out if your personal information is already available on the web by visiting Cyberguy.com.

8) Be skeptical of calls that know too much

If someone contacts you and references your address, date of birth, or ID number, do not assume they are legitimate. Hang up and call the official number listed on the company’s website. Criminals use real data to make false stories seem convincing.

Kurt’s Key Takeaway

This incident exposes a larger problem. Companies that handle identity verification have become critical infrastructure for the digital economy. When one of them leaves a database open, the consequences spread across countries and to millions of ordinary people who have never even heard of the company. You trusted your ID to a bank or an app. That bank trusted a third party. At some point in that chain, basic security controls failed.

Should companies that handle identity verification face automatic penalties when they expose millions of people’s most sensitive data? Let us know by writing to us at Cyberguy.com.

CLICK HERE TO DOWNLOAD THE News APP

Sign up to receive my FREE CyberGuy report
Get my best tech tips, urgent security alerts, and exclusive offers delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams, free if you join me CYBERGUY.COM information sheet.

Copyright 2026 CyberGuy.com. All rights reserved.