No Password. No Authentication. Just a URL.
IDMerit, a global leader in digital identity verification and Know Your Customer (KYC) compliance, left a MongoDB database containing over 1 billion personal records completely exposed on the internet — with zero authentication required. Anyone with the URL could read, copy, export, or delete the entire contents without credentials.
The Cybernews research team discovered the exposed instance on November 11, 2025. IDMerit secured the database by November 12, but public disclosure didn't arrive until February 18, 2026 — a 99-day gap during which the full scope of exposure remained unknown.
By the Numbers
| Metric | Value |
|---|---|
| Total records exposed | 3+ billion (across multiple databases) |
| Records with sensitive PII | ~1 billion |
| Countries affected | 26+ |
| US records alone | 204 million |
| Total data volume | ~1 terabyte |
| Authentication required | None |
| Time exposed (minimum) | Unknown — discovered Nov 11, 2025 |
What Was Exposed
The database contained a comprehensive collection of personally identifiable information (PII) tied to KYC verification processes:
- Full names and residential addresses with postal codes
- Dates of birth and national identity numbers (including Social Security Numbers and equivalent identifiers)
- Telephone numbers, genders, and email addresses
- Passport and ID document data from 26+ countries
- Telco metadata including mobile network information — data that could facilitate SIM-swap attacks
The breadth of this data makes it a goldmine for identity theft, social engineering, financial fraud, and targeted phishing campaigns. Unlike typical breaches where passwords can be changed, national ID numbers, dates of birth, and passport details are permanent — victims cannot simply reset their identity.
The KYC Paradox
The irony is sharp: KYC verification exists to prevent fraud by collecting and verifying identity documents. When a KYC provider suffers a breach of this magnitude, the very data collected to protect people becomes the weapon used against them.
Organizations that submitted customer data to IDMerit for identity verification now face the reality that their customers' most sensitive information was sitting in an unprotected database. This raises serious questions about:
- Vendor due diligence — How are organizations vetting the security practices of their KYC providers?
- Data minimization — Should KYC providers retain this volume of raw identity data indefinitely?
- Regulatory compliance — Multiple jurisdictions' data protection laws (GDPR, CCPA, PIPEDA) likely apply given the 26-country scope
Impact Assessment
For Individuals
- Identity theft risk: SSNs, passport numbers, and full addresses provide everything needed for new account fraud
- SIM-swap risk: Telco metadata enables targeted SIM-swap attacks for 2FA bypass
- Phishing risk: Real personal details make social engineering attacks highly convincing
- Long-term exposure: Unlike passwords, national ID numbers cannot be changed
For Organizations
- Third-party risk materialized: Any company that used IDMerit for KYC now inherits breach notification obligations
- Regulatory exposure: Multi-jurisdictional data protection violations across 26+ countries
- Trust damage: Customers may lose confidence in onboarding processes that require sensitive document submission
What You Should Do
If you've completed KYC verification with any service that may use IDMerit:
- Monitor your credit — Place fraud alerts or credit freezes with major bureaus
- Watch for phishing — Expect highly targeted attempts using your real personal details
- Enable strong 2FA — Use hardware keys or authenticator apps (not SMS) where possible
- Review accounts — Check for unauthorized accounts opened in your name
- Contact your provider — Ask if they used IDMerit for identity verification
If you're an organization using third-party KYC services:
- Audit your vendor's security practices — Request SOC 2 reports, penetration test results, and data handling policies
- Minimize data retention — Ensure vendors delete raw identity documents after verification
- Implement breach notification plans — Know your obligations across all jurisdictions where customer data is held