A California identity verification company left a MongoDB database completely open on the public internet — no password, no authentication, no barrier of any kind. Inside: roughly one billion personal records used by banks and fintech companies to confirm who their customers are. Researchers at Cybernews stumbled across it on November 11, 2025. The public did not find out until February 18, 2026. That 99-day gap is part of the story.
The company at the center of this incident is IDMerit — not a household name, but a company that touches the identity of a remarkable number of people. Founded in 2014 and based in Carlsbad, California, IDMerit operates as a software-as-a-service provider in the Know Your Customer (KYC) and Anti-Money Laundering (AML) compliance space. Its clients are the platforms you do use every day: banks, fintech apps, cryptocurrency exchanges, buy-now-pay-later services, and payment processors. When those platforms ask you to verify your identity by uploading a government ID, IDMerit's infrastructure is often what processes and validates that information on the back end.
Who Is IDMerit and What Does It Do?
IDMerit's product line centers on its IDMkyX platform, which bundles together KYC verification, AML screening, document scanning, biometric facial recognition, sanctions list checks, PEP (Politically Exposed Person) screening, and device fingerprinting into a single API. The company markets access to over 440 data sources across more than 180 countries, claiming the ability to verify identity against government databases, telecom providers, and utility records globally. Its own website states it has "direct relationships with official data sources globally" and provides coverage for over five billion people.
That scale is precisely what makes this incident significant. IDMerit is not just storing the data of its own direct customers. Its platform sits at the intersection of the identity verification supply chain, pulling from and connecting to data sources operated by third parties — and aggregating the results in a centralized system. When that system is left unprotected, the exposure is not limited to IDMerit's own users. It radiates outward to every person whose identity was ever checked through a company that used IDMerit's API.
What Was Exposed and How
On November 11, 2025, researchers at Cybernews — a cybersecurity news and research publication — discovered an unprotected MongoDB instance they attribute to IDMerit. The company was notified the same day, and secured the database by November 12. According to Cybernews, the full database contained approximately three billion records in total, of which roughly one billion contained sensitive personally identifiable information. The data weighed over one terabyte. The database required no authentication to access: anyone who located the URL could read, copy, export, or delete its entire contents without a single credential.
The records exposed included: full legal names, home addresses with postal codes, dates of birth, national ID numbers (government-issued), phone numbers, email addresses, gender information, telecom metadata, KYC and AML verification logs, and breach status annotations and social profile flags. Some records also included internal flags referencing past known breaches — meaning this database did not just contain identity data, it contained metadata about prior compromise events.
The geographic spread of the affected records underscores just how global the exposure was. The United States accounted for the largest share, with over 203 million records unsecured. Mexico followed with approximately 124 million. The Philippines contributed around 72 million records. Germany had roughly 61 million, while Italy and France each had approximately 53 million. The remaining records spanned more than 20 additional countries across multiple continents. This was not a regional incident. It was a failure that touched identity infrastructure on every major continent.
MongoDB instances without password protection are a well-documented vulnerability class. Automated scanning tools continuously index the entire IPv4 address space for open database ports. An unprotected instance is typically discovered by malicious bots within hours of going online — not days, not weeks. Adding basic authentication is a standard, built-in feature of every MongoDB deployment. This exposure required no exploit, no vulnerability, and no sophisticated attacker. The door was simply left open.
The 99-Day Disclosure Gap
Cybernews notified IDMerit on November 11, 2025. The company secured the database the following day. That response time — roughly 24 hours — is operationally acceptable. What is harder to justify is what happened next: nothing publicly visible for 99 days. Cybernews did not publish its findings until February 18, 2026. IDMerit issued a public statement only after that report appeared.
During that 99-day window, the downstream clients who used IDMerit's platform for identity verification received no public notification. The individuals whose national ID numbers, phone numbers, and home addresses were in that database received no public notification. No regulator has publicly confirmed that formal breach notifications were issued to affected individuals during that window, and as of this writing, no enforcement action has been announced by any authority in any of the 26 affected countries.
Zyphe noted in February 2026 that the absence of confirmed exfiltration is not the same as confirmed non-access. The two conditions are meaningfully different, and conflating them understates the risk.
The duration of the exposure before Cybernews discovered it on November 11 has also never been disclosed. The database may have been open for hours. It may have been open for months. Nobody has said. That unknown window is where the real risk lives — because automated crawlers operated by criminal organizations scan the open internet continuously, and an unsecured, structured terabyte of KYC data is exactly what they are looking for.
What Criminals Can Do With This Data
This was not a database of usernames and passwords. Passwords can be changed. What was in this database cannot be changed: legal names, government-issued ID numbers, dates of birth, home addresses, phone numbers. These are the foundational credentials of identity. They are what the government uses to issue documents and what banks use to open accounts. Once they are in the wrong hands, the damage potential is both severe and long-lasting. For a closer look at how permanently dangerous exposed identity numbers are, the PayPal Working Capital breach and the Social Security number problem illustrates why this class of data demands a different risk calculus than a leaked password ever could.
The specific attack types this data enables include the following. SIM swapping — a threat actor contacts a mobile carrier, uses the victim's name, address, date of birth, and account details to convince the carrier to transfer the victim's phone number to an attacker-controlled SIM. Once successful, every SMS-based two-factor authentication code for every account tied to that phone number is now delivered to the attacker. Account takeover, bank fraud, and cryptocurrency theft commonly follow.
Synthetic identity fraud is another high-risk outcome. Criminals combine real elements — a legitimate Social Security Number from this database, for example — with fabricated names and addresses to create "synthetic" identities that pass automated verification checks. These synthetic identities are then used to open credit lines, obtain loans, and disappear before the fraud is detected. Synthetic identity fraud is one of the fastest-growing categories of financial crime in the United States, and this type of database is exactly the raw material it requires.
The organized, structured format of the exposed records compounds the risk further. Unlike raw dumps of unstructured data, a well-organized database allows a criminal or criminal organization to sort records by country, age group, or financial service type and run automated attack campaigns against millions of targets simultaneously. The data was neatly formatted for exactly the kind of automated processing that large-scale fraud operations require.
The Cybernews Research Team warned in February 2026 that at this scale, downstream risks span account takeovers, targeted phishing, credit fraud, and SIM swaps — and that the case illustrates how third-party identity vendors have become "single points of catastrophic failure."
IDMerit's Response and the Extortion Claim
After Cybernews published its report, IDMerit issued a public statement that did several things at once. It disputed ownership of the data, claimed its own systems were never compromised, and alleged that the researcher who reported the leak was involved in an extortion attempt. The full statement, provided to both CyberGuy and Cybernews, reads in part:
IDMerit stated it does not own, control, or store customer data — that its platform connects to authorized data sources globally to verify identities on behalf of clients. The company said its internal review found no exposure within its own environment and that its systems "have never been compromised." IDMerit also alleged that when it requested proof of the incident, the researcher responded with a demand for money — which the company characterized as a ransom-related incident. IDMerit added that its data source partners conducted their own investigations and found no breach or exfiltration before, during, or after the event. — IDMerit spokesperson, provided to CyberGuy, Cybernews, and Biometric Update, February 2026
Cybernews addressed the payment claim directly in an editor's note appended to its original report:
In an editor's note appended to its original report on February 26, 2026, Cybernews acknowledged that the researcher who provided the findings was a freelance contributor, but stated the editorial team had been unaware of any communication between the researcher and IDMerit about payment until that date. Cybernews stated its mission is "solely to educate and safeguard consumers worldwide" and that it does not sell exploit fixes to affected companies.
What remains publicly unresolved is the central technical question: if IDMerit's own systems were never compromised, whose database was it? The company's position — that it connects to independent data sources and does not directly store customer data — means it is pointing responsibility toward unnamed third-party data partners. Those partners have not made any public statements, and the specific data sources linked to the exposed instance have not been identified by name.
The Counter-Narrative: Is There a Legitimate Dispute?
IDMerit's pushback is not limited to the extortion allegation. The company and some of its advocates have raised a more substantive technical argument: that IDMerit's architecture is specifically designed to process identity data in real time and discard it upon verification completion. Under that model, no persistent central database of KYC records should exist to be misconfigured or exposed. If accurate, it raises a genuine question about Cybernews's attribution — whether the database belonged to IDMerit directly or to one of the independent data sources its platform connects to.
Several analysts have also flagged the scale figures as statistically difficult to reconcile. Italy was assigned approximately 53 million exposed records. Italy's total population in 2025 is roughly 59 million — implying that essentially the entire country's population, including children and non-digitally active adults, passed through a single mid-tier KYC vendor's infrastructure. Mexico's implied coverage would approach 95 percent of its total population. The US figure of 203 million, against an eligible adult population of roughly 260 to 270 million, would suggest that between 75 and 80 percent of every KYC-eligible American adult had identity data processed through IDMerit. These are not numbers that, on their face, match the market position of a company with approximately $2.9 million in annual revenue.
Cybernews and Biometric Update both reviewed the findings independently and confirmed the data was legitimate. Biometric Update, reporting separately, noted that IDMerit did not dispute the existence of the exposed data — it disputed ownership of it. That is a meaningful distinction. The debate is not about whether the database existed or whether it was unprotected. It is about which entity in the supply chain bears responsibility for deploying and misconfiguring it.
The following facts are confirmed across multiple independent sources: a MongoDB instance containing identity data was accessible on the public internet without authentication; Cybernews discovered it on November 11, 2025; IDMerit secured a database by November 12, 2025; public disclosure occurred February 18, 2026. What is not confirmed: whether IDMerit directly owned and deployed the database, whether any malicious actor accessed or exfiltrated the data before it was secured, whether formal breach notifications were issued to individuals, and whether any regulatory investigation has been opened in any of the 26 affected countries.
This Is a Pattern, Not an Outlier
The IDMerit incident does not exist in isolation. The KYC vendor ecosystem has produced a series of significant security failures in recent years, and the pattern reveals a structural problem: identity verification companies sit at the highest-value point in the data supply chain, yet they have historically faced fewer regulatory consequences for mishandling that data than the financial institutions that hire them. The Odido breach — which handed names, bank accounts, and government IDs for one-third of the Dutch population to unknown attackers through a single compromised CRM — illustrates how a single point of concentrated identity data becomes a high-value target regardless of the organization holding it.
In June 2024, AU10TIX — a KYC vendor whose clients include Uber, TikTok, X (formerly Twitter), Bumble, Fiverr, Upwork, PayPal, LinkedIn, and Coinbase — was found to have left employee credentials exposed for over a year. According to reporting by 404 Media, those credentials had been stolen in December 2022, appeared on Telegram in March 2023, and were still working when researchers checked in June 2024. The credentials granted access to a logging platform containing identity documents, facial recognition images, and personal data of users verified through AU10TIX's platform. A single set of exposed credentials became a master key to identity data across more than a dozen major platforms simultaneously. AU10TIX told 404 Media its investigation had determined the credentials "were promptly rescinded" — but the credentials still worked when the researcher verified this claim directly.
In December 2025 — the same month Cybernews was preparing to publish its IDMerit findings — Veriff's systems were compromised when an unauthorized external party accessed customer data belonging to Total Wireless subscribers. According to the official breach notification filed with the Maine Attorney General, the unauthorized access occurred around November 18, 2025, and was detected on December 10, 2025. Veriff notified Total Wireless that day. The data accessed included images of government-issued identification documents and in some cases postal addresses and dates of birth. Total Wireless confirmed its own systems were not impacted — the compromise existed entirely within Veriff's infrastructure. The incident has since produced at least three federal class action lawsuits.
The systemic issue is one of concentration and accountability. IDMerit, as noted by State of Surveillance, is a small company — approximately $2.9 million in annual revenue and 25 to 50 employees — yet it held identity records, or access to identity records, on hundreds of millions of people across 26 countries. The mismatch between organizational size, security maturity, and the sensitivity of the data being handled is not unique to IDMerit. It is endemic to an industry built on the promise that identity can be verified cheaply, quickly, and at global scale. The AU10TIX incident, the Veriff incident, and the IDMerit incident occurred within an 18-month window. Each involved a different company, a different failure mode, and a different set of affected platforms — but the same structural precondition: a centralized repository of high-value identity data with inadequate controls.
What You Should Do Now
If You Are an Individual
If you have opened a bank account, signed up for a fintech or cryptocurrency platform, applied for a buy-now-pay-later service, or gone through any digital identity verification process in the United States, Mexico, the Philippines, Germany, France, Italy, or any of the other 20 countries in this dataset, your data may be part of this exposure. You cannot know for certain whether it is. The following steps are not optional — they are the baseline response to this class of incident.
Freeze your credit with all three major bureaus — Equifax, Experian, and TransUnion. A credit freeze prevents new accounts from being opened in your name, regardless of what personal information an attacker holds. It is free, it can be lifted temporarily when you need to apply for credit, and it is the single most effective barrier against new-account fraud using stolen identity data.
Move away from SMS-based two-factor authentication immediately. Because phone numbers and telecom metadata were part of this exposure, SIM swap attacks are a specific and elevated risk for anyone whose data was included. Switch to an authenticator app — Google Authenticator, Authy, or similar — or a hardware security key such as a YubiKey. These methods are not vulnerable to SIM swapping because they do not route through your phone number.
Set up an IRS Identity Protection PIN if you are a US taxpayer. This is a six-digit code issued by the IRS that must be included on any tax return filed in your name. It prevents criminals from filing fraudulent tax returns using your Social Security Number. You can request one through the IRS website.
Be highly skeptical of any unexpected contact — phone calls, emails, or text messages — that references your personal details. Because this database contained names, addresses, national ID numbers, and phone numbers together, attackers can craft extremely convincing impersonation scenarios. A call that references your exact home address and the last four digits of your national ID number is not proof that the caller is legitimate. Hang up and contact the organization directly through a number you find independently.
What Financial Institutions and Fintech Platforms Should Do
The standard post-breach recommendation to consumers — change your passwords, watch your statements — does not address the structural failure that produced this incident. Financial institutions and fintech platforms that relied on IDMerit's API bear a share of accountability, and the appropriate response goes well beyond a breach notification email.
Institutions should immediately audit their full KYC vendor chain, not just their primary providers. Every third-party relationship that touches identity data should be subject to documented security assessments, contractual minimum controls (including authentication requirements, encryption at rest and in transit, and right-to-audit clauses), and regular independent testing. The AU10TIX incident in June 2024, the Veriff incident in December 2025, and the IDMerit incident all demonstrate the same failure mode: the weakest link is rarely the bank itself. It is a vendor the customer has never heard of.
Where a platform has confirmed that customer data passed through IDMerit's systems, proactive notification to affected customers is warranted even in the absence of regulatory compulsion. Customers cannot take protective action — credit freezes, authenticator migrations, IRS PIN enrollment — if they do not know they are at elevated risk. Delayed disclosure is a policy choice, and financial institutions should make that choice explicitly rather than by default.
Platforms operating under GDPR, CCPA, or equivalent frameworks should be conducting their own legal analysis of whether downstream notification obligations were triggered by this incident. The fact that IDMerit disputes ownership of the underlying data does not necessarily relieve the data controller — typically the financial institution — of its own obligations to the people whose data it collected.
What the KYC Industry Needs to Change
The IDMerit exposure points to a structural problem that has no individual-level solution. Identity verification vendors are trusted with the highest-sensitivity data class in the financial system — data that is permanent, cannot be reset, and is used as a legal proxy for personhood. The industry's security standards have not kept pace with that responsibility.
Database authentication is not a complex or expensive control. It is a built-in feature of every major database platform. MongoDB has required authentication by default in production configurations since version 3.6, released in 2017. The fact that a production database containing one billion KYC records was deployed without it in 2025 is not a technical failure — it is an operational governance failure. It means that nobody with authority over that system verified that basic controls were in place before the system went live, and nobody checked afterward.
Vendors handling PII at this scale should be subject to mandatory, independent penetration testing and configuration auditing — not self-reported compliance attestations. SOC 2 Type II certification, which some KYC vendors hold, does not prevent this type of exposure; it evaluates whether documented controls exist, not whether every production system is actually configured to those standards. The gap between documentation and deployment is where incidents like this one live.
The concentration problem also requires direct attention. A company with under $3 million in annual revenue and fewer than 50 employees should not be holding identity infrastructure for hundreds of millions of people across 26 countries. The mismatch between organizational security maturity and data sensitivity is a known, tolerated risk in this industry. Regulators in the financial sector require due diligence on credit risk, liquidity risk, and operational risk. Third-party data custody risk — the risk that a vendor's security failure becomes your customers' identity fraud problem — deserves the same category of scrutiny.
What Regulators Should Do
No enforcement action has been publicly announced by any authority in any of the 26 affected countries as of this writing. That silence is a policy signal of its own. The regulatory frameworks that apply to identity data custody — GDPR in the EU, GLBA and FCRA in the United States, DPDPA in India, PDPA in several Southeast Asian jurisdictions — all contain provisions potentially applicable to this incident. Whether any of them are actively being applied is not yet clear. In the Veriff/Total Wireless incident, by contrast, three federal class action lawsuits were filed within weeks of the breach disclosure, and Total Wireless offered affected customers one year of complimentary Experian IdentityWorks monitoring. The IDMerit incident has produced no equivalent public accountability measure as of publication.
The more structural regulatory gap is the absence of minimum security standards specifically for KYC and identity verification vendors. Financial institutions that hire these vendors are regulated. The vendors themselves, in many jurisdictions, are not subject to the same examination authority, even though they are handling data on behalf of regulated entities. Closing this gap — extending examination authority, minimum technical controls, and mandatory incident reporting to identity verification vendors — is a policy outcome this incident should accelerate.
Notification timelines also require examination. The 99-day gap between the November 11 discovery and the February 18 public disclosure may or may not have involved private regulatory notifications that have not been made public. But from the perspective of the people whose data was exposed, the practical outcome was nearly three months without warning. Regulatory frameworks that allow this outcome — whether through ambiguous applicability, slow enforcement, or deference to vendor claims — are not providing the protection they imply.
Key Takeaways
- No hack was required: This was not a breach in the conventional sense. No attacker exploited a vulnerability. A production database was left without password protection on the open internet — a configuration error that represents one of the most basic failures in database security hygiene.
- The exposure duration is unknown: IDMerit secured a database within roughly 24 hours of being notified by Cybernews on November 11, 2025. How long the database was open before that notification has never been disclosed. The risk window could be days. It could be significantly longer.
- The 99-day disclosure gap has real consequences: The people whose data was in this database went nearly three months without knowing they may need to take protective action. Regulatory frameworks in many jurisdictions require timely breach notification — whether those obligations applied here, and whether they were met, remains publicly unresolved.
- KYC data is uniquely dangerous when exposed: Unlike passwords, national ID numbers and dates of birth cannot be reset. The permanent, foundational nature of this data means the risk does not expire when the story stops making headlines.
- Vendor security is your security: If your bank or financial platform used IDMerit for identity verification, your data was at risk through no fault of your own and no action you could have taken. The security of every platform you use is only as strong as the security of every vendor in its supply chain.
- Attribution and responsibility remain contested: IDMerit disputes that it owned or controlled the database directly. The company's architecture claim — that it processes data in real time and does not retain it — has not been independently verified or disproven. What has been confirmed is that a database attributable to its infrastructure was unprotected. Whether the accountability lies with IDMerit, an unnamed data source partner, or both is a question that regulators have not yet publicly answered.
The IDMerit incident is a precise illustration of a problem that regulators, financial institutions, and security practitioners have been naming for years without fully resolving. The companies entrusted with the most sensitive identity infrastructure in the digital economy are not consistently held to security standards that match the risk they carry. A single missing authentication control on a single database — a configuration that takes minutes to add — was all that stood between one billion people's identity records and anyone on the internet.
Whether IDMerit directly owned that database, or whether responsibility belongs with an unnamed data source partner in its supply chain, does not change what happened. It changes only who should be held accountable. That is a question for regulators, and so far none have answered it publicly. Until accountability catches up with concentration, this class of incident will keep occurring — because the architecture that produces it remains intact, the incentives that tolerate it remain unchanged, and the oversight mechanisms that should deter it have not been applied.