A massive data leak has exposed roughly one billion personal records after an identity verification company left its database unprotected and open to the public internet.

The exposed database belongs to IDMerit, an AI-powered digital identity verification provider that helps businesses confirm user identities through know-your-customer (KYC) processes.

These are the same verification checks you complete when signing up for banking apps, fintech platforms, and other financial services. The irony here is hard to miss: a company designed to prevent fraud just handed cyber-criminals a goldmine of personal data.

Researchers discovered the unprotected MongoDB instance on November 11th, 2025 and contacted IDMerit the following day. The company secured its database that same day.

While no malicious activity has been confirmed, researchers warned that automated crawlers operated by threat actors constantly scan the internet for exposed databases. If security researchers found it, there’s a strong chance bad actors did too.

What Information Was Leaked

The nearly one-terabyte database contained a wide range of personally identifiable information spanning 26 countries. Exposed details include:

• Full names
• Home addresses and postal codes
• Dates of birth
• National ID numbers
• Phone numbers
• Email addresses
• Gender information
• Telecom metadata

The United States was hit hardest with over 203 million records leaked. Mexico followed with 124 million exposed records, and the Philippines came in third at 72 million.

Several European nations also suffered major exposure, including Germany at 61 million along with Italy and France each at 53 million. Countries such as China and Brazil were also affected.

TROYPOINT Tip: Protect your identity and personal info from a data breach by using Aura Identity Theft Protection which is TROYPOINT’s recommended identity theft protection.

Aura Identity Theft Protection Review

Why This Leak Is Dangerous

KYC databases hold some of the most sensitive personal information a person can hand over. When this data falls into the wrong hands, criminals can use it for identity theft, credit fraud, SIM swapping, and targeted phishing attacks.

Telecom metadata found in the database puts exposed individuals at an increased risk for SIM swap fraud, where criminals take control of your mobile phone number to bypass two-factor authentication.

Visit Have I Been Pwned to check whether your email address has appeared in known data breaches.

You should also change passwords on financial accounts, enable two-factor authentication, and contact your mobile carrier to add a PIN against SIM swap attempts.

Final Thoughts

This breach is another reminder that companies handling our most sensitive personal data don’t always protect it the way they should.

An identity verification firm holding records for a billion people across 26 countries carries enormous responsibility, and leaving that data exposed on the open internet is a serious failure.

Consumers have very little control over how third-party companies store their information, which makes personal security tools and credit monitoring more important than ever.

For more details on this story, refer to the report from Cybernews.

We want to know your thoughts. What do you think about this story? Let us know in the comment section below!

Be sure to stay up-to-date with the latest streaming news, reviews, tips, and more by following the TROYPOINT Advisor with updates weekly.