- IDMerit kept an unsecured database of over three billion records
- Experts find database and manage to get it locked down
- Personal info exposed, but affected users may be low in number
Experts have revealed IDMerit, an AI-powered digital identity verification solutions provider, kept an enormous database filled with sensitive customer information unlocked and easily accessible on the public internet.
In total, more than three billion records were discovered by cybersecurity researchers from Cybernews and eventually locked down.
The team said it found an open MongoDB database weighing more than a terabyte, and included records such as full names, addresses, post codes, dates of birth, national IDs, phone numbers, gender, email addresses, telco metadata, and breach status and social profile annotations.
Major breach
The size of the database does not mean three billion people were exposed, since multiple records belong to a single person, but the scale of the leak is still quite massive.
Cybernews says roughly a billion probably contained sensitive data, while the other two are database logs that are “likely less sensitive”.
The database is also global, as individuals from 26 countries had their data exposed, with those in the US being most affected (more than 203 million records). Mexico (124 million), and the Philippines (72 million) round off the top three, with Germany, Italy, and France, making notable appearances, with 61m and 53m records leaked respectively.
“At this scale, downstream risks include account takeovers, targeted phishing, credit fraud, SIM swaps, and long-tail privacy harms. Industry-wide, the case underlines how third-party identity vendors have become critical infrastructure and can become single points of catastrophic failure,” Cybernews said.
Based in California, IDMerit is a global identity-verification and fraud-prevention technology firm that provides API-based solutions for KYC, AML and digital identity verification.
As of 2025 it operates with roughly 25–50 employees and serves a growing global customer base, generating about $2.9 million in annual revenue. The company was founded in 2014 and trades as a privately held US tech provider.
“IDMERIT is a software-as-a-service company that provides identity verification technology," the company told us in a statement. "We own and operate our proprietary platform, but we do not own, control or store customer data or the underlying data maintained by independent data sources. Our platform connects to authorized data sources globally to verify individual identities on behalf of our customers."
"On November 11, IDMERIT was made aware by an ethical hacker that certain data ports associated with independent data sources could have been open, which had the potential to expose certain databases. Upon receiving this notification, we immediately conducted a comprehensive review of our software, security controls, configurations and system logs. That review identified no exposure, vulnerability or unauthorized access within the IDMERIT environment. IDMERIT’s systems and security infrastructure have never been compromised."
"At the same time, we notified all relevant data source partners and worked with them to assess the matter. Our partners conducted their own internal investigations and confirmed that there has never been a data breach or exfiltration from their systems during, before or after this event. We requested a security incident report from the ethical hackers as proof, and the response was a demand for money for the report, which confirmed our suspicion that this was a ransom-related incident."
"Based on our internal review and confirmations from our partners, we have no indication that any customer data has been compromised. We continue to maintain robust security safeguards on our systems and are taking these accusations very seriously as we continue to investigate this matter in coordination with our partners.”
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
