A Billion Personal Records Exposed

Identity verification company IDMerit left your most sensitive data in an unsecured database for anyone to find.

TL;DR:

  • 1 billion personal records exposed from an unsecured MongoDB database belonging to IDMerit, a California-based identity verification company
  • 203 million U.S. records were exposed (the most of any country) followed by Mexico (124M), Philippines (72M), Germany (61M), Italy (53M), and France (53M)
  • Data included national IDs, full names, addresses, phone numbers, and telecom metadata: everything needed for identity theft
  • Database was discovered November 11, 2025 by Cybernews researchers and secured the next day
  • Unknown exposure window: No one knows how long the database was open or who else accessed it
  • 26 countries affected across North America, Europe, Asia, and Latin America

What Happened

On November 11, 2025, the Cybernews research team stumbled across something alarming: an unsecured MongoDB instance containing roughly 1 terabyte of data. Inside were more than 1 billion personal records from 26 countries.

The database belonged to IDMerit, a California-based company that provides "Know Your Customer" (KYC) identity verification services. When banks, crypto exchanges, and financial services need to confirm you are who you say you are, they often use companies like IDMerit to check your documents against official databases.

The problem? IDMerit left all that verification data sitting in a database with no password protection. No authentication. Nothing.

Cybernews immediately notified IDMerit. The company secured the database on November 12, within a day. But that raises the obvious question: how long was it exposed before anyone noticed?

What's in the Data

This isn't a password breach. This is worse.

The exposed records include:

  • National ID numbers: Social Security numbers in the U.S., equivalent identifiers elsewhere
  • Full legal names
  • Physical addresses
  • Phone numbers
  • Telecom metadata: carrier information and account details

Think about what you submit when you open a bank account, verify your identity for a crypto exchange, or set up a financial services account. That's exactly the data IDMerit collects to verify identities, and that's what was exposed.

You can change a password. You can't change your Social Security number or your date of birth. Once this data is out, it's out forever.

Who Got Hit

The United States was hit hardest, with over 203 million records exposed. That's more than half the U.S. adult population's worth of records in a single database.

The breakdown by country:

  • United States: 203 million records
  • Mexico: 124 million records
  • Philippines: 72 million records
  • Germany: 61 million records
  • Italy: 53 million records
  • France: 53 million records

Twenty additional countries were also affected, though specific record counts weren't disclosed. The scale is staggering. This single exposure may contain identity data for a significant percentage of adults in affected nations.

Who Is IDMerit?

IDMerit, also known as IDMart, is a relatively small player in the identity verification space. Founded in 2014 and based in California, the company employs around 25-50 people and generates approximately $2.9 million in annual revenue.

But small doesn't mean unimportant. IDMerit provides API-based KYC (Know Your Customer), AML (Anti-Money Laundering), and identity verification services to businesses globally. Their clients use IDMerit to verify customer identities, check documents, and comply with financial regulations.

In other words, companies trusted IDMerit with their customers' most sensitive data. IDMerit stored it all in one place. And then left the door wide open.

Why This Is Dangerous

Security researchers are clear-eyed about what this exposure enables:

  • Identity theft: With national IDs, names, and addresses, criminals can open credit accounts, file false tax returns, and impersonate victims
  • SIM swapping: Phone numbers and telecom metadata make it easier to take over victims' mobile accounts
  • Targeted phishing: With this level of personal detail, spear-phishing emails become frighteningly convincing
  • Credit fraud: National IDs are the keys to the financial system: this data unlocks everything

The worst part? We don't know who else found this database. Automated crawlers run by threat actors constantly scan the internet for exposed databases. When they find one, they download everything within minutes, often before the owner realizes the exposure exists.

IDMerit secured the database within a day of being notified. But how long was it exposed before Cybernews found it? Days? Weeks? Months? Nobody knows.

What You Should Do

If you've verified your identity with a financial service, crypto exchange, or fintech app in recent years, your data may be in this breach. Here's how to protect yourself:

  • Freeze your credit: At all three bureaus: Equifax, Experian, and TransUnion. It's free and prevents new accounts from being opened in your name.
  • Set up IRS Identity Protection PIN: Prevents criminals from filing fraudulent tax returns with your SSN. Request one here.
  • Monitor your accounts: Watch for unauthorized transactions, new accounts you didn't open, or credit inquiries you didn't authorize.
  • Be skeptical of contact: With your phone number and address exposed, expect targeted phishing. Verify any unexpected calls or emails through official channels.
  • Check your credit reports: AnnualCreditReport.com provides free weekly access to all three bureau reports.

Unfortunately, there's no way to know if your specific data was in this breach. IDMerit provides services to businesses, not consumers directly, so you may have never heard of them even if they hold your data.

The Bigger Picture

This breach highlights a fundamental problem with identity verification: the companies collecting your most sensitive data aren't always the ones you interact with directly.

When you verify your identity with Bank A, they might use Company B's API, which draws data from Aggregator C. Your data flows through multiple hands, and you have no visibility into (or control over) any of it.

IDMerit is a small company. $2.9 million in revenue. 25-50 employees. Yet they held identity data on hundreds of millions of people across 26 countries. A single misconfigured MongoDB database exposed it all.

This isn't unique to IDMerit. The identity verification industry is full of similar companies, processing similar data, with varying levels of security maturity. Until there are real consequences for these exposures (not just breach notification letters and free credit monitoring) this will keep happening.

Sources

Published: February 20, 2026