Things like your name, home address, date of birth and even your Social Security number may have been sitting on the open internet. Researchers say an unprotected database tied to IDMerit, a company that claims to help businesses verify identities, exposed roughly 1 billion sensitive records across 26 countries.
In the United States alone, more than 203 million records were left unsecured. This involves the exact documents and details companies use to confirm you are really you. If criminals get that kind of information, they’d have everything they need.
Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM newsletter.
BE AWARE OF EXTORTION SCAM EMAILS CLAIMING YOUR DATA IS STOLEN
Researchers at Cybernews, a cybersecurity news and research publication, discovered an exposed MongoDB database on Nov. 11, 2025, that they believe belongs to IDMerit, a global identity verification provider that serves banks, fintech firms and other financial services companies. IDMerit uses artificial intelligence tools to help businesses perform KYC, short for Know Your Customer, which is the identity verification process required when you open financial accounts.
The database was not protected by a password. Anyone who knew where to look could access it. Inside were full names, home addresses, postal codes, dates of birth, national ID numbers, phone numbers, email addresses and gender information. Some records also included telecom-related metadata and internal flags that may have referenced past breaches.
The exposure affected people in 26 countries. The United States had the highest number of exposed records at more than 203 million. Mexico, the Philippines, Germany, Italy and France were also heavily impacted.
Researchers notified the company, and the database was secured the following day. There is currently no public evidence that criminals downloaded the data. Still, it’s worth noting that automated bots constantly scan the internet for exposed databases and can copy them within minutes.
YOU COULD BE SHARING YOUR SOCIAL SECURITY NUMBER WHEN YOU DON’T NEED TO
When you open a bank account, sign up for a crypto platform or verify your identity for a financial app, you are often asked to upload a government ID and provide personal details. Companies like IDMerit process that information behind the scenes. That means this database likely contained the same details you would use to prove your identity to a bank or government agency.
For criminals, that is gold. With your full name, date of birth, national ID and phone number, scammers can attempt SIM-swap attacks. This is when someone convinces your mobile carrier to transfer your phone number to their device. Once they control your number, they can intercept security codes sent by text message and break into your bank or email accounts. They can also launch highly targeted phishing scams. Imagine receiving a call or email that includes your real home address and ID number. It would feel legitimate, and that’s exactly the point.
Because the data was neatly organized, criminals could sort it by country or other details and use automated tools to target huge numbers of people with scams.
We reached out to IDMerit for comment, but did not hear back before our deadline.
FIGURE DATA BREACH EXPOSES NEARLY 1M ACCOUNTS
Before criminals have a chance to use this information against you, here are practical steps you can take right now to lock things down and reduce your risk.
Contact the major credit bureaus in your country and place a credit freeze. This prevents criminals from opening loans or credit cards in your name. Even if someone has your national ID and date of birth, lenders will not be able to access your credit file without your permission.
If your bank or email account still uses SMS codes for two-factor authentication, switch to an authenticator app instead. Text messages can be intercepted during SIM-swap attacks. An authenticator app generates codes directly on your device, making it much harder for criminals to break in.
If attackers pair leaked identity data with passwords from older breaches, they can try to access your accounts. A password manager creates strong, unique passwords for every account, so one leak does not unlock everything else.
Check out the best expert-reviewed password managers of 2026 at Cyberguy.com.
Identity theft monitoring services can alert you if your personal information is used to open accounts or appears on dark web marketplaces. Early detection can mean the difference between stopping fraud quickly and discovering it months later. See my tips and best picks on Best Identity Theft Protection at Cyberguy.com
Log in to your mobile carrier account and enable extra security features, such as a port-out PIN if available. This adds an additional layer of protection so someone cannot easily move your phone number to another SIM card.
Good antivirus software can block malicious links, fake login pages and spyware that may be used in follow-up attacks. After a large data exposure, phishing campaigns often spike, and having protection in place can stop you from clicking into trouble. Get my picks for the best 2026 antivirus protection winners for your Windows, Mac, Android and iOS devices at Cyberguy.com.
Your personal information is often scattered across data broker sites and people-search databases that sell access to your details. A personal data removal service can monitor where your information appears online and work to get it taken down. This reduces the amount of data criminals can find about you in one place, making it harder for them to piece together your identity and target you with scams or fraud. Check out my top picks for data removal services and get a free scan to find out if your personal information is already out on the web by visiting Cyberguy.com.
If someone contacts you and references your address, date of birth or ID number, do not assume they are legitimate. Hang up and call the official number listed on the company’s website. Criminals use real data to make fake stories sound convincing.
This incident exposes a larger problem. Companies that handle identity verification have become critical infrastructure for the digital economy. When one of them leaves a database open, the fallout spreads across countries and millions of ordinary people who never even heard of the company. You trusted a bank or app with your ID. That bank trusted a third party. Somewhere in that chain, basic security controls failed.
Should companies that handle identity verification face automatic penalties when they expose millions of people’s most sensitive data? Let us know by writing to us at Cyberguy.com.
Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM newsletter.
Copyright 2026 CyberGuy.com. All rights reserved.
