IDMerit Data Leak Exposes 1 Billion Identity Records — Are You at Risk?

A database linked to IDMerit, a global identity verification company, left roughly 1 billion identity records exposed on the open internet. The unprotected MongoDB instance, discovered on 11 November 2025, contained highly sensitive personal information including full names, home addresses, dates of birth, national ID numbers, phone numbers, email addresses and gender information.

The United States was the most affected, with more than 203 million records left unsecured. Other heavily impacted countries included Mexico, the Philippines, Germany, Italy and France. While there is no public evidence that criminals accessed the data, experts warn that the organised format of the records could make them easy to exploit for fraud or targeted attacks.

Details of the Exposure and Potential Risks

Cybersecurity specialists explained that the exposed database contained information often used by banks, fintech platforms and financial services for identity verification. IDMerit uses artificial intelligence tools to perform Know Your Customer procedures, which require customers to provide government-issued identification and personal details.

Criminals with access to such data could carry out SIM-swap attacks, intercept two-factor authentication codes, or launch phishing campaigns using personal information to make messages appear legitimate.

Even without confirmed theft, the risk is considered high because automated bots constantly scan the internet for unsecured databases and can copy data within minutes.

IDMerit Response to the Security Incident

IDMerit issued a statement confirming that its systems were not breached. The company said that the exposed data came from independent data sources and that its platform did not store customer data.

Following the alert from Cybernews, IDMerit conducted a comprehensive review of its software, security controls and system logs and found no vulnerabilities within its environment.

The company also contacted relevant data source partners, who confirmed that no data had been exfiltrated from their systems. IDMerit characterised the incident as linked to a potential ransom attempt by an ethical hacker who demanded payment for a security incident report.

Global Scope of the Data Exposure

The exposure affected individuals in 26 countries, highlighting the interconnected nature of identity verification services. Security researchers emphasised that even if no criminal activity is reported immediately, the sheer scale of 1 billion records makes it a significant risk to millions of people worldwide.

Because the data was neatly organised, criminals could theoretically sort records by country, age or other details to target large numbers of people for fraud.

Experts advise that the incident should serve as a reminder of the importance of cybersecurity in companies handling personal identification information.

Practical Steps for Individuals to Protect Themselves

Cybersecurity authorities recommend that individuals take immediate steps to mitigate potential risks. This includes placing a credit freeze with major credit bureaus, switching from SMS-based two-factor authentication to authenticator apps, and using strong, unique passwords across accounts with the help of a password manager.

Identity monitoring services can alert users if their personal information appears in unauthorised places or on the dark web. Mobile users should enable additional security features, such as port-out PINs, to protect against SIM-swap attacks.

Experts also advise caution when receiving calls or emails referencing personal details, and recommend verifying any communication through official channels before responding.

Antivirus software and personal data removal services can further reduce exposure, blocking malicious links and limiting the availability of personal information online. Individuals are urged to review their digital security practices following the IDMerit data leak to prevent potential identity theft or fraud.