Around 1 billion sensitive records were exposed across 26 countries due to a major data breach, although affected companies assert that there’s no evidence of customer data being compromised.
According to researchers, an unsecured database associated with IDMerit, a firm that assists businesses in verifying identities, exposed about 1 billion confidential records. Over 203 million of these records were left vulnerable in the United States, with Mexico, the Philippines, Germany, Italy, and France also impacted significantly by the breach.
Researchers from Cybernews, a cybersecurity news and research organization, found a publicly accessible MongoDB database on November 11, 2025. This database is believed to belong to IDMerit, which provides identity verification services to banks, fintech firms, and other financial institutions. They use AI tools to assist businesses in conducting KYC (Know Your Customer) processes, which are necessary for opening financial accounts.
The database lacked password protection and was available to anyone able to locate it. It contained names, home addresses, postal codes, dates of birth, national ID numbers, phone numbers, email addresses, and gender information. Some records also included metadata related to communications or internal flags that might have referenced previous breaches.
After being notified by researchers, IDMerit secured the database the following day. However, the report indicates that automated bots could quickly scan and replicate public databases found on the internet.
Firms like IDMerit are typically needed to verify customers when opening bank or cryptocurrency accounts, among other financial applications. However, this identity verification process often necessitates the collection of sensitive personal information, such as names and dates of birth, which can be exploited by scammers in phishing and SIM swapping attacks. Scammers can use personal details to transfer phone numbers to their devices, allowing them to receive security codes sent to the victim’s phone and potentially access banking and email accounts.
IDMerit released a statement:
On November 11, IDMerit became aware that certain data ports linked to independent data sources may have been accessed by ethical hackers, possibly exposing some databases. Following this notification, we promptly conducted a thorough review of our software, security measures, configurations, and system logs. This review revealed no exposures, vulnerabilities, or unauthorized access within the IDMerit environment. Our systems and security infrastructure have not been compromised.
Additionally, we informed all relevant data source partners and worked with them to evaluate the situation. Our partners performed their own internal investigations and confirmed that there were no data breaches or leaks from their systems during, before, or after this incident. We requested a security incident report from the Ethical Hacker as proof, but the response was a demand for payment, indicating our suspicion that this was related to ransom.
Based on our internal review and reassurance from our partners, there is no indication that customer data has been compromised. [Emphasis added]
IDMerit further stated: “We maintain strong security measures on our systems and take these accusations seriously as we continue to collaborate with our partners to investigate this situation.”
