Skip to content
Data breachContained

Data leak at IDMerit - Exposed database

An unprotected MongoDB database linked to identity-verification provider IDMerit exposed roughly 1 billion KYC records across 26 countries, including full names, addresses, dates of birth, national ID numbers, phone numbers and emails.

Victim
IDmerit
records
1.00B

On 21 February 2026, IDMerit β€” a global identity-verification and KYC (Know Your Customer) provider serving banks, fintechs and other financial-services firms β€” was reported to have exposed roughly 1 billion sensitive identity records through an unsecured database. France was among the 26 countries whose residents were affected.

The exposure stemmed from a misconfigured MongoDB instance that was left online without any password protection, meaning anyone who knew its location could access the contents. Cybernews researchers discovered the open database on 11 November 2025; it was secured the following day. The data spanned 26 countries, with the United States alone accounting for more than 203 million records, and significant volumes also tied to Mexico, the Philippines, Germany, Italy and France.

Exposed data categories included:

  • Full names and gender
  • Home addresses and postal codes
  • Dates of birth
  • National ID numbers
  • Phone numbers and email addresses
  • Some telecom metadata and internal flags referencing past breaches

IDMerit stated that its own environment and systems were never compromised, attributing the records to verification data and asserting that its internal review found no vulnerability or unauthorized access. There is no public evidence that criminals downloaded the data before it was taken offline, but the exposed identity details create a lasting risk of identity theft, phishing and SIM-swap fraud for affected individuals.

Sources

  1. fuitesinfos.frhttps://fuitesinfos.fr/article/2026-02-21-idmerit
  2. foxnews.comhttps://www.foxnews.com/tech/1-billion-identity-records-exposed-id-verification-data-leak
  3. pandasecurity.comhttps://www.pandasecurity.com/en/mediacenter/customer-records-idmerit-unprotected/
  4. tomsguide.comhttps://www.tomsguide.com/computing/online-security/1-billion-personal-records-from-26-countries-exposed-in-massive-new-data-leak-how-to-stay-safe

Related incidents