IDMerit exposes 1 billion identity records in unprotected database

Information like your name, home address, date of birth, and even your Social Security number may be out there on the open internet. An unprotected database affiliated with IDMerit, a company that claims to help businesses verify identities, exposed nearly 1 billion sensitive records across 26 countries, researchers say.

In the United States alone, more than 203 million records remained unsecured. This contains the exact documents and details that companies use to verify that it is really you. If criminals obtain such information, they have everything they need.

Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent safety alerts and special deals straight to your inbox. You’ll also get instant access to my Ultimate Scam Survival Guide – free when you join my channel CYBERGUY.COM bulletin.

BEWARE OF FRAUDULENT EMAILS CLAIMING THAT YOUR DATA HAS BEEN STOLEN

What you need to know about major data leaks

On November 11, 2025, researchers at Cybernews, a cybersecurity news and research publication, discovered an exposed MongoDB database that they believe belongs to IDMerit, a global authentication provider serving banks, fintech firms, and other financial services companies. IDMerit uses AI tools to help businesses perform KYC, short for Know Your Customer, the identity verification process required when you open financial accounts.

The database was not protected by a password. It can be accessed by anyone who knows where to look. It contained full names, home addresses, zip codes, dates of birth, national identification numbers, phone numbers, email addresses and gender information. Some records also contained telecom-related metadata and internal flags that could reference past breaches.

Exposure affected people in 26 countries. The United States had the highest number of exposed records, with more than 203 million records. Mexico, the Philippines, Germany, Italy and France were also heavily affected.

The researchers notified the company and the database was secured the next day. There is currently no publicly available evidence that criminals have downloaded the data. Still, it is worth noting that automated bots constantly scan the Internet for open databases and can copy them in a matter of minutes.

YOU CAN SHARE YOUR SOCIAL SECURITY NUMBER IF YOU DO NOT NEED IT

The unsecured database reportedly contained highly sensitive details such as names, home addresses, dates of birth and national identification numbers. (Image alliance via Silas Stein/Getty Images)

How did it happen and why is it important to you?

When you open a bank account, sign up for a crypto platform, or verify your identity for a financial app, you’ll typically be asked to upload a government-issued ID and provide personal information. Companies like IDMerit process this information behind the scenes. This means that this database likely contains the same details you would use to prove your identity to a bank or government agency.

For criminals this is gold. Fraudsters can carry out SIM swapping attacks using your full name, date of birth, national ID and phone number. This is when someone convinces your mobile carrier to transfer your phone number to their device. Once they check your number, they can intercept security codes sent via text message and hack into your bank or email accounts. They may also launch highly targeted phishing scams. Imagine receiving a call or email with your real home address and ID number. It would feel legitimate, and that’s the point.

Because the data was neatly organized, criminals could sort it by country or other details and target large numbers of people with fraud using automated tools.

We reached out to IDMerit for comment but did not hear back before our deadline.

WE ARE DISCLOSING NEARLY 1 MILLION ACCOUNTS FROM DATA BREACHES

Experts warn that data like this can help criminals launch SIM swapping attacks and highly targeted phishing scams. (Kurt “CyberGuy” Knutsson)

8 ways to protect yourself from data leaks

Here are practical steps you can take now to lock things down and reduce your risk before criminals have the chance to use this information against you.

1) Freeze your credit reports

Contact the major credit bureaus in your country and freeze the credit. This prevents criminals from opening loans or credit cards in your name. Even if someone knows your national identity and date of birth, lenders will not be able to access your credit file without your permission.

2) Stop trusting text message security codes

If your bank or email account still uses SMS codes for two-factor authentication, switch to an authenticator app instead. Text messages can be intercepted during SIM swapping attacks. The authentication app generates codes directly on your device, making it much harder for criminals to break in.

3) Use a password manager

If attackers match the leaked credentials with passwords from older breaches, they may try to access your accounts. A password manager creates strong, unique passwords for each account so one leak doesn’t unlock everything else.

Check out the best expert-reviewed password managers of 2026 at: cyberguy.com.

4) Consider protecting against identity theft

Identity theft monitoring services can alert you if your personal information is used to open accounts or appears on dark web markets. Early detection can mean the difference between stopping a scam quickly and being discovered months later. See my tips and top picks for Best Identity Theft Protection at: cyberguy.com

5) Monitor your mobile account closely

Sign in to your mobile carrier account and enable extra security features, such as a logout PIN, if available. This adds an additional layer of protection so that someone can’t easily port your phone number to another SIM card.

6) Run antivirus software on your devices

Good antivirus software can block malicious links, fake login pages, and spyware that can be used in tracking attacks. Phishing campaigns often increase after large amounts of data are exposed, and having protection in place can prevent you from running into problems. Get my picks for the 2026 winners for the best antivirus protection for your Windows, Mac, Android, and iOS devices at: cyberguy.com.

7) Consider personal data removal service

Your personal information is often dispersed across data broker sites and people search databases that sell access to your information. A personal data removal service can monitor where your information appears online and work to have it removed. This reduces the amount of data criminals can find about you in one place, making it harder for them to piece together your identity and target you with scams or scams. Check out my top picks for data removal services and run a free scan to see if your personal information is already on the internet by visiting: cyberguy.com.

8) Be skeptical of calls that know too much

If someone contacts you and references your address, date of birth, or ID number, don’t assume they are legitimate. Hang up and call the official number listed on the company’s website. Criminals use real data to make fake stories seem believable.

Kurt’s important takeaway

This incident reveals a bigger problem. Companies that perform identity verification have become critical infrastructure for the digital economy. When one of them leaves the database open, the results spread across countries and millions of ordinary people who have never even heard of the company. You trusted a bank or app with your identity. That bank relied on a third party. Somewhere in this chain basic security checks failed.

Should authentication companies face automatic penalties when they expose millions of people’s most sensitive data? Let us know by writing to us. cyberguy.com.

CLICK TO DOWNLOAD FOX NEWS APPLICATION

Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent safety alerts and special deals straight to your inbox. You’ll also get instant access to my Ultimate Scam Survival Guide – free when you join my channel CYBERGUY.COM bulletin.

Copyright 2026 CyberGuy.com. All rights reserved.