Misconfiguration Identity Verification / Fintech · Global · February 2026

IDMerit

Analysis of the IDMerit KYC data exposure affecting approximately 1 billion identity verification records across 26 countries due to a misconfigured MongoDB database.

Records Affected

Approximately 1 billion records

Attack Type

Misconfiguration

Location

Global

Data types exposed

Full names addresses national ID numbers dates of birth phone numbers email addresses telecom metadata KYC/AML verification logs

What Happened

Cybersecurity researchers at Cybernews discovered an unprotected MongoDB database on November 11, 2025, containing approximately one terabyte of data with over 3 billion records, of which roughly 1 billion contained sensitive personal information.
The exposed data was linked to IDMerit, a digital identity verification provider servicing fintech companies, banks, and crypto exchanges. The data included structured KYC records across 26 countries, with the US accounting for over 203 million records.
IDMerit has disputed the findings, stating it does not own, control, or store customer data and that its systems have never been compromised. As of early March 2026, no regulatory investigations have been publicly announced.

Timeline

  • November 11, 2025 — Cybernews researchers discover unprotected MongoDB database containing approximately 1 billion sensitive records
  • November 12, 2025 — Database secured following responsible disclosure
  • February 18, 2026 — Cybernews publishes findings, 99 days after initial discovery

Impact and Risk Assessment

For Individuals

Approximately 1 billion identity verification records were exposed, spanning 26 countries. The US accounted for over 203 million records, Mexico over 120 million, the Philippines 72 million, Germany 61 million, and Italy and France approximately 53 million each.
Exposed data includes full names, national ID numbers, dates of birth, and KYC verification logs, which collectively enable identity theft and fraudulent account creation at scale.
Individuals whose data was used for KYC verification through IDMerit's clients may not be aware their information was exposed, as they had no direct relationship with IDMerit.

For Organisations

Financial institutions, fintech companies, and cryptocurrency exchanges that relied on IDMerit for identity verification may face regulatory scrutiny over their vendor due diligence processes.
Organisations across 26 countries may need to re-verify customer identities if their KYC data was compromised, creating significant operational costs.
The exposure undermines trust in third-party identity verification services, which are foundational to digital onboarding across the financial sector.

Regulatory Context

KYC/AML regulations in multiple jurisdictions require organisations to protect identity verification data. Exposure of this scale may trigger investigations under GDPR (EU), CCPA (California), and equivalent frameworks in the 26 affected countries.
IDMerit's dispute of the findings complicates regulatory response, as the chain of data custody between IDMerit and its clients may be unclear.

What Should You Do?

For Individuals

  • If you have completed identity verification through a fintech, banking, or cryptocurrency platform, monitor your accounts and credit reports for signs of identity misuse.
  • Consider placing a fraud alert or credit freeze with major credit bureaus, particularly if you reside in the US, Mexico, Philippines, Germany, Italy, or France.
  • Be alert to phishing attempts that may use your personal details to appear legitimate.

For Security Professionals

  • Review your organisation's reliance on third-party identity verification providers and assess whether they meet your data protection requirements.
  • Conduct a vendor risk assessment of any identity verification services in your supply chain, focusing on database security controls and access management.
  • Implement monitoring for exposed credentials and identity data associated with your customers through breach notification services.

Learnings and Recommendations

This incident highlights that misconfigured databases remain one of the most common and preventable causes of large-scale data exposure. Basic controls like requiring authentication and restricting network access would have prevented this entirely.
Identity verification providers sit at the foundation of the digital trust stack. When their data hygiene fails, the downstream impact is global and affects every organisation that relied on their verification services.

References

[1] Cybernews - Global data leak exposes billion records — https://cybernews.com/security/global-data-leak-exposes-billion-records/
[2] SC Media - IDMerit exposes billions of records — https://www.scworld.com/brief/idmerit-exposes-billions-of-records-in-major-data-leak
[3] Tom's Guide - 1 billion personal records exposed — https://www.tomsguide.com/computing/online-security/1-billion-personal-records-from-26-countries-exposed-in-massive-new-data-leak-how-to-stay-safe
[4] Biometric Update - IDMerit disputes report — https://www.biometricupdate.com/202602/one-billion-identity-records-exposed-in-unsecured-id-verification-database

Source

https://cybernews.com/security/global-data-leak-exposes-billion-records/ ↗
This advisory summarises a publicly reported cybersecurity incident for educational purposes. Information is sourced from publicly available reports and may include claims that are unverified or disputed. Inclusion does not imply fault or negligence by the affected organisation.
Back to all advisories