IDMerit is a California-based AI-powered digital identity verification provider specialising in KYC (Know Your Customer) and AML services for fintech and financial institutions. Its now known that they accidentally exposed approximately 3 billion sensitive personal records across 26 countries.

Cybersecurity researchers at Cybernews discovered the 1 terabyte database on November 11, 2025. The database was publicly accessible online with no password or authentication required. They notified the company immediately and IDMerit secured the database the following day. No evidence of malicious exploitation has been reported, though researchers note that automated threat actor crawlers routinely scan for and download such exposed instances so no one can be sure if this is out in the public domain at this time.

Database contents

The database contained roughly 3 billion total records. About 1 billion were sensitive personal data, while the remaining 2 billion consisted of less sensitive database logs. Exposed information included:

• Full names

• Addresses and post codes

• Dates of birth

• National IDs

• Phone numbers

• Gender

• Email addresses

• Telco metadata

• Breach status flags

• Social profile annotations

This structured KYC-style data originated from IDMerit’s identity verification services used by client organisations worldwide.

The scale is astounding

This affects individuals and businesses across the globe and its understood that;

• United States: ~203–204 million records

• Mexico: ~123–124 million

• Philippines: 72 million

• Germany: 60–61 million

• Italy: 52–53 million

• France: 52–53 million

Additional countries included Turkey (49M), Brazil (39M), Spain (31M), Malaysia (24M), Vietnam (21M), Argentina (20M), Colombia (18M), Peru (14M), Canada (12M), Australia (12M), and smaller volumes down to Morocco (1M). The full list spans 26 nations across North America, Europe, Asia, Latin America, and the Middle East.

Importantly, this was not a breach involving unauthorised intrusion. It was a classic human misconfiguration with an open database left exposed on the public internet. IDMerit has not issued a public statement as yet despite contact from multiple outlets including ourselves.

Risks and Implications

Experts at Cybernews warn of serious downstream consequences due to the data’s richness and structure:

• Account takeovers

• Targeted phishing campaigns

• Credit and identity fraud

• SIM-swapping attacks (enabled by national IDs + telco metadata)

• Sophisticated social engineering

The leak underscores a growing concern that third-party identity verification vendors have become critical infrastructure. A single misstep can create a single point of catastrophic failure for entire sectors relying on their systems for age verification checks recently introduced across the public within the Online Safety Bill introduced in the UK.

This incident joins a string of recent large-scale configuration-based exposures, including an 8.7 billion-record Elasticsearch incident involving primarily Chinese data reported earlier in 2026.

What should affected individuals do?

• Watch for unsolicited calls, texts, or emails referencing personal details (a hallmark of targeted phishing).

• Monitor bank statements, credit reports, and accounts for unusual activity.

• Enable two-factor authentication everywhere (preferably app-based or hardware keys, not SMS).

• Consider enrolling in credit monitoring or identity theft protection services if offered through breached organisations or available via your bank/employer.

• Use strong, unique passwords managed by a reputable password manager.

Increase your own security today

While the database is now locked and no active exploitation is confirmed, the sheer volume and sensitivity of the exposed KYC data make this one of the most significant configuration leaks on record. For consumers, it’s another reminder that your personal information is often held by vendors you’ve never heard of. Remember to increase your own security and vigilance. Consider investing in a VPN like Proton or Nord, use 2FA where you can and make sure you dont use the same password on all your accounts! Both mac and PC have their own built in Password managers so use them.

For the industry, it’s a wake up call that AI powered verification must include equally robust security standards, starting with not leaving terabytes of sensitive records wide open on the internet for anyone to access because the Chinese or Russian bots will.

If you suspect your data was involved, treat it as compromised and act accordingly.

Other articles you may be interested in…