When you open a bank account, sign up for a crypto platform, or verify your identity for a financial app, your personal details pass through a hidden layer of technology you never see — identity verification companies. In November 2025, researchers discovered that one of those companies, IDMerit, left a database containing roughly 1 billion sensitive identity records completely unprotected on the open internet. No password. No authentication. Just a door left wide open.
For Americans, the damage is staggering: more than 203 million US records were exposed. That’s nearly two-thirds of the entire US population’s identity verification data sitting on an unsecured server.
What Happened
On November 11, 2025, researchers at Cybernews discovered an exposed MongoDB database they believe belongs to IDMerit — a California-based company founded in 2014 that provides AI-powered Know Your Customer (KYC) and identity verification services to banks, fintech platforms, crypto exchanges, and other financial institutions operating in over 175 countries.
The database had zero password protection. Anyone with knowledge of its IP address could read, copy, export, or even delete the entire contents. The total size of the exposed data was nearly 1 terabyte, containing roughly 3 billion total records — of which approximately 1 billion contained sensitive personally identifiable information (PII).
Cybernews notified IDMerit, and the database was secured the following day, November 12. The public disclosure came 99 days later, on February 18, 2026 — a delay that has raised questions from privacy advocates about notification timelines and affected parties’ ability to protect themselves.
What Was Exposed
This wasn’t a breach of marketing emails or loyalty points. IDMerit processes the exact documents and details used to prove your identity to a bank or government agency. The database contained:
- Full legal names
- Home addresses and postal codes
- Dates of birth
- National ID numbers (including Social Security numbers for US records)
- Phone numbers
- Email addresses
- Gender information
- Telecom metadata — mobile network information that enables SIM-swap attacks
- KYC/AML verification logs — timestamps, verification outcomes, compliance flags
- Internal breach history flags — notes indicating whether individuals appeared in prior breaches
- Risk assessment annotations
That last two items are especially alarming. Not only was your identity data exposed — the database also contained metadata indicating whether your data had been compromised in previous breaches. Criminals with access to that information know exactly who is already compromised and potentially easier to exploit.
The Scale: 26 Countries, 1 Billion People
The breach affected people across 26 countries. The US had the largest number of exposed records by far, but the scale in other countries raises its own serious questions:
| Country | Records Exposed |
|---|---|
| United States | 203 million+ |
| Mexico | ~124 million |
| Philippines | ~72 million |
| Germany | ~61 million |
| Italy | ~53 million |
| France | ~53 million |
| 20 other countries | Remaining records |
The Italy figure has attracted particular scrutiny from researchers: 53 million records in a country with roughly 59 million people suggests an implausibly high coverage rate given realistic fintech adoption numbers. IDMerit itself disputes the entire report, which we’ll address below.
IDMerit’s Response: Denial and Extortion Accusations
IDMerit pushed back firmly against the Cybernews report. The company issued a statement denying that any breach occurred within its own environment:
“IDMERIT is a software-as-a-service company that provides identity verification technology. We own and operate our proprietary platform, but we do not own, control or store customer data or the underlying data maintained by independent data sources.”
The company also made a striking accusation against the researchers: when IDMerit requested a formal security incident report from the “ethical hacker” who made the initial notification, the response was allegedly a demand for payment. IDMerit characterized this as an extortion attempt and stated it was a factor in doubting the legitimacy of the disclosure.
IDMerit’s partners conducted their own investigations and confirmed no breach or exfiltration from their systems, according to the company.
The dispute leaves key questions unresolved. IDMerit’s platform claims to process identity data via API in under 5 seconds and delete it immediately post-verification — meaning no persistent database should exist. If that’s accurate, whose database was it? Cybernews says it has technical evidence linking the database to IDMerit. Neither side has published independent verification of their claims.
Why KYC Data Is More Dangerous Than a Typical Breach
Most data breaches involve credentials that can be changed — passwords reset, credit cards replaced. KYC breaches are different. The data exposed is the same information used to prove who you are. National ID numbers, Social Security numbers, and government-issued ID details cannot be revoked the way a password or credit card number can. Once that information is out, it stays out — permanently.
Here’s what criminals can do with this kind of data:
SIM-Swap Attacks
The telecom metadata exposed in the IDMerit database is particularly dangerous. Armed with your name, ID number, and mobile carrier information, criminals can contact your carrier and impersonate you to transfer your phone number to their device. Once they control your number, every SMS-based security code — from your bank, your email, your cryptocurrency account — routes to them.
Targeted Phishing
Imagine receiving a call from someone who knows your real home address, date of birth, and ID number. It sounds completely legitimate. That’s exactly what criminals use this data for — crafting scam calls and emails so personalized that victims trust them.
Synthetic Identity Fraud
By combining your SSN with a different name and address, criminals can manufacture entirely new identities for purposes like opening fraudulent lines of credit, taking out loans, or filing false tax returns. These synthetic identities are notoriously difficult to detect and can take years to surface.
Account Takeovers
Financial institutions rely on identity verification questions and “proof of life” data to confirm identity before unlocking accounts. With the data from a KYC breach, criminals can answer those questions correctly — bypassing security designed specifically to stop them.
This Is Part of a Pattern
The IDMerit incident does not exist in isolation. The KYC and identity verification sector has experienced a series of major security failures over the past two years:
AU10TIX (June 2024): Employee credentials were exposed for more than 12 months. AU10TIX provides identity verification for Uber, TikTok, X, Bumble, Fiverr, and Upwork. The exposed credentials gave access to user identity documents and facial images.
Sumsub (July 2024, discovered January 2026): An 18-month compromise went undetected. Sumsub is a major KYC provider serving regulated financial institutions. The breach remained hidden for a year and a half before discovery.
Veriff (December 2025): Unauthorized access to systems was discovered after a customer, Total Wireless, reported the incident.
Three major incidents at KYC vendors in 18 months represents a systemic risk, not a series of isolated failures. The companies that banks and fintechs hire specifically to secure identity verification are themselves proving vulnerable to the very kinds of breaches they exist to prevent.
The Regulatory Silence
Given the scale — 1 billion records across 26 countries, including 203 million Americans — the regulatory response has been conspicuously quiet.
- No FTC investigation has been announced
- No state attorneys general have publicly taken action
- No European data protection authority (despite Germany, France, and Italy all being GDPR-protected jurisdictions) has announced breach notifications or investigations
Under GDPR, organizations must notify the relevant data protection authority within 72 hours of becoming aware of a breach that poses risk to individuals. The 99-day gap between discovery (November 11, 2025) and public disclosure (February 18, 2026) raises serious compliance questions for IDMerit’s European operations — if the data is indeed theirs.
The California Consumer Privacy Act (CCPA) also provides statutory damages of $100–$750 per affected California consumer per incident for breaches resulting from failure to implement reasonable security. With 203 million US records, the exposure is potentially enormous.
No class action lawsuits have been announced as of March 2026.
What You Should Do Right Now
Whether or not you’ve used a service that employed IDMerit, this breach is a reminder of how invisible the identity verification supply chain is — and how little control you have over where your data ends up once you hand it over. Here’s what you can do to protect yourself.
1. Freeze Your Credit
A credit freeze is the single most effective tool against identity fraud. Contact Equifax, Experian, and TransUnion and place a freeze on your credit file. This prevents anyone — including criminals with your full identity data — from opening new accounts in your name. It’s free, reversible, and takes minutes.
2. Drop SMS-Based Two-Factor Authentication
If any of your important accounts (bank, email, crypto) still use text message verification codes, switch to an authenticator app immediately. Text codes are interceptable through SIM-swap attacks. Google Authenticator, Authy, and similar apps generate codes on your device — making them significantly harder to steal.
3. Set a SIM Lock / Port-Out PIN With Your Carrier
Log in to your mobile carrier account and look for SIM lock or port-out PIN features. This adds a PIN or passcode requirement before your number can be transferred to another device. All major US carriers offer this; most people have never turned it on.
4. Monitor for Suspicious Account Activity
Set up transaction alerts on every bank and credit account so you’re notified of any charge the moment it happens. Enable login notifications on your email and financial accounts. Early detection is the difference between a quick recovery and months of damage control.
5. Watch for Unusually Convincing Phishing
The data exposed in this breach — real names, addresses, ID numbers, phone numbers — gives criminals everything they need to craft highly persuasive impersonation scams. Be especially skeptical of any outreach (calls, emails, texts) that references your personal details. That information being “known” does not make the contact legitimate. Hang up and call back using the official number on the company’s website.
6. Consider an Identity Monitoring Service
Services that monitor for your personal information appearing in dark web markets, new account openings, or fraud databases can give you early warning before you discover fraud on your own. Given the nature of KYC data, monitoring specifically for new credit inquiries and account openings in your name is particularly important.
7. Be Especially Vigilant if You’ve Verified Identity for a Fintech or Crypto Platform
IDMerit specifically served banks, fintech platforms, neobanks, crypto exchanges, BNPL services, and online lenders. If you’ve verified your identity for any of these types of services — particularly ones that asked for a government ID photo and selfie — your data may have passed through their platform.
The Bigger Problem Nobody Is Talking About
IDMerit’s statement that it doesn’t “own, control or store customer data” points to a structural issue at the heart of the modern identity economy: you have no idea who actually holds your identity data.
When you hand your driver’s license to a crypto exchange, you’re not just trusting the exchange — you’re trusting every vendor in their technology stack. IDMerit. Their data source partners. Their cloud provider. Every integration in the chain. You consented to one company’s privacy policy. You got dozens of data custodians.
This breach — disputed or not — forces a necessary conversation about whether the KYC supply chain has any meaningful security standards, who is responsible when a link in that chain fails, and whether consumers have any realistic way to know which companies hold their verified identity data.
Until regulators close that gap, the responsibility falls back on you. Freeze your credit. Lock your SIM. Drop SMS codes. And assume your identity data has already been in places you never authorized.
Sources: Cybernews, Fox News CyberGuy Report, Biometric Update, Tom’s Guide, Crowdfund Insider, Fincrime Central, IBTimes UK, IDMerit statement
