Digital identity verification provider IDMerit inadvertently exposed more than one billion personal records across 26 countries after leaving a database unsecured and accessible on the public internet, according to research by Cybernews.
Scale of the Exposure
The exposed MongoDB database contained over three billion records weighing more than one terabyte. Security researchers estimate that approximately one billion of these records contained sensitive personal information, with the remaining two billion consisting of database logs deemed “likely less sensitive.”
Countries most affected:
- United States: 204 million records
- Mexico: 123 million records
- Philippines: 72 million records
- Germany: 60 million records
- Italy: 53 million records
- France: 52 million records
- Turkey: 49 million records
- Brazil: 39 million records
What Data Was Exposed
The unsecured database contained a wealth of personally identifiable information (PII) used for KYC (Know Your Customer) verification processes:
- Full names
- Physical addresses and post codes
- Dates of birth
- National identification numbers
- Phone numbers
- Email addresses
- Gender information
- Telco metadata
- Breach status and social profile annotations
Identity Verification as Critical Infrastructure
IDMerit is a California-based, AI-powered identity verification and fraud prevention company that provides API-based solutions for KYC, AML (Anti-Money Laundering), and digital identity verification. Founded in 2014, the company serves the financial services and fintech industries globally.
“At this scale, downstream risks include account takeovers, targeted phishing, credit fraud, SIM swaps, and long-tail privacy harms,” Cybernews warned. “Industry-wide, the case underlines how third-party identity vendors have become critical infrastructure and can become single points of catastrophic failure.“
The Dangers of Exposed KYC Data
Unlike typical data breaches where hackers infiltrate systems, this was a data leak caused by misconfiguration—the database was simply left unprotected without a password. Cybernews discovered the exposure on November 11 and immediately contacted IDMerit, which subsequently secured the database.
The structured nature of the leaked data makes it particularly dangerous. Cybercriminals could easily search through records to:
- Conduct account takeover attacks using verified identity information
- Launch highly targeted spear-phishing campaigns
- Commit credit fraud and identity theft
- Execute SIM swap attacks using phone numbers and personal details
- Bypass identity verification on other platforms using stolen national IDs
Recommendations
If you’ve used services that may have employed IDMerit for identity verification, consider:
- Monitoring your credit reports for suspicious activity
- Being vigilant about targeted phishing attempts via email or text
- Considering a credit freeze if you’re in highly affected countries
- Enabling multi-factor authentication on all financial accounts
- Using identity theft protection services
This incident serves as a stark reminder that companies handling sensitive identity verification data must treat security as a paramount concern. The centralization of identity data in third-party verification providers creates significant systemic risk when security lapses occur.
Source: TechRadar, Tom’s Guide, Cybernews
