Recently, researchers identified a major breach involving an unsecured database linked to IDMerit, a company that assists businesses in identity verification. This exposed approximately 1 billion sensitive records across 26 countries—about 203 million of which are from the United States alone. This includes essential personal details, like names, addresses, and Social Security numbers. If such information falls into the wrong hands, it can lead to serious consequences.
On November 11, 2025, Cybernews, a cybersecurity publication, unearthed a publicly accessible MongoDB database that seemed to belong to IDMerit. The database, which lacked any password protection, provided personal information such as date of birth, national ID numbers, and even communication metadata. The breach’s impact was widespread, affecting not only individuals in the U.S. but also in countries like Mexico, the Philippines, Germany, Italy, and France.
While the database was secured the following day after the company was alerted, there is no clear evidence that cybercriminals accessed this data. However, it’s important to remember that bots can rapidly scan the internet and copy databases.
When you apply for services like bank accounts or cryptocurrency platforms, you typically share personal information, which IDMerit processes. This data is highly attractive to criminals; they can use it for SIM swap attacks, where they trick your mobile provider into transferring your number to another device. Once they gain control, they can intercept security codes, compromising your accounts. It’s unsettling, really, but that’s the reality we face.
IDMerit responded to the allegations, stating that although they connect to various authorized data sources for identity verification, they don’t control or store the data themselves. They emphasized that they conducted a thorough security review and found no vulnerabilities within their system. Moreover, they implied that the breach was possibly linked to ethical hackers attempting to extort money.
To safeguard personal data and reduce the risk of being targeted, here are some practical tactics:
1) Freeze your credit report
Contact major credit bureaus to freeze your credit, preventing unauthorized loans or credit cards.
2) Stop relying on text message security codes
Switch to an authenticator app for two-factor authentication instead of SMS, which is more vulnerable.
3) Use a password manager
These tools create unique passwords, which makes it harder for attackers to gain access.
4) Consider identity theft prevention services
These services provide alerts if your information pops up in suspicious contexts.
5) Monitor your mobile account closely
Enable additional security features, like a port-out PIN.
6) Use antivirus software
Good antivirus can prevent malware and phishing attempts.
7) Look into personal data deletion services
These services can help remove your information from data broker sites.
8) Be skeptical of unsolicited communications
If contacted by someone who seems to know too much, verify their legitimacy by calling the company directly.
This situation underscores a larger issue: the importance of robust security measures for identity verification companies, which play crucial roles in our digital economy. When one of these companies fails to protect data, it impacts millions of individuals, often unaware of the vulnerabilities lying behind the scenes. It begs the question of whether these firms should face penalties for such breaches.
