Roughly one billion sensitive records across 26 countries have been exposed as part of a massive data leak, although the company impacted maintains it has no indication that customer data has been compromised.
Researchers say that an unprotected database tied to IDMerit, a company that helps businesses confirm identities, exposed about one billion sensitive records across 26 countries. In America, more than 203 million records were left unsecured. Mexico, the Philippines, Germany, Italy, and France were also heavily impacted by the data leak.
Fox News wrote:
Researchers at Cybernews, a cybersecurity news and research publication, discovered an exposed MongoDB database on Nov. 11, 2025, that they believe belongs to IDMerit, a global identity verification provider that serves banks, fintech firms and other financial services companies. IDMerit uses artificial intelligence tools to help businesses perform KYC, short for Know Your Customer, which is the identity verification process required when you open financial accounts.
The database was not protected by a password. Anyone who knew where to look could access it. Inside were full names, home addresses, postal codes, dates of birth, national ID numbers, phone numbers, email addresses and gender information. Some records also included telecom-related metadata and internal flags that may have referenced past breaches.
Researchers notified IDMerit, and the database was secured the next day. However, reports have noted that automated bots can scan the internet for exposed databases and can copy them almost instantaneously.
Companies such as IDMerit are used to identify identities when a customer opens up a bank account, crypto account, or other similar accounts for a financial application. However, verifying identities often requires collecting sensitive personal information, such as collecting full names, dates of birth, phone numbers, and other information that scammers can use for phishing and SIM-swap attacks. Scammers can use one’s personal information to transfer your number to their device, to which the criminal can use the phone number to obtain security codes sent by text message to access bank accounts and email accounts.
IDMerit said in a statement:
On November 11, IDMERIT was made aware by an ethical hacker that certain data ports associated with independent data sources could have been open, which had the potential to expose certain databases. Upon receiving this notification, we immediately conducted a comprehensive review of our software, security controls, configurations and system logs. That review identified no exposure, vulnerability or unauthorized access within the IDMERIT environment. IDMERIT’s systems and security infrastructure have never been compromised.
At the same time, we notified all relevant data source partners and worked with them to assess the matter. Our partners conducted their own internal investigations and confirmed that there has never been a data breach or exfiltration from their systems during, before or after this event. We requested a security incident report from the ethical hackers as proof, and the response was a demand for money for the report, which confirmed our suspicion that this was a ransom-related incident.
Based on our internal review and confirmations from our partners, we have no indication that any customer data has been compromised. [Emphasis added]
IDMerit added, “We continue to maintain robust security safeguards on our systems and are taking these accusations very seriously as we continue to investigate this matter in coordination with our partners.”
Read the full article here