IDMerit Data Breach Exposes Billions of Records 

What Happened in the Breach

Cybersecurity researchers from the Cybernews investigative team uncovered an unprotected MongoDB instance on November 11, 2025 that they traced to US based identity verification firm IDMerit. The exposed server, used to store know your customer KYC data, held multiple databases totaling more than 3 billion records and nearly 1 terabyte of data. 

About 1 billion entries contained sensitive personal information spanning at least 26 countries. Cybernews said they notified IDMerit on November 12, 2025, and the company secured the database the same day. IDMerit has not publicly explained why authentication was missing or how long exposure lasted. No malicious access has been confirmed, but researchers warned automated crawlers could have copied the data before it was secured.

Timeline: From First Access To Latest Update

• November 11, 2025: Cybernews researchers find an unprotected MongoDB instance with multiple databases linked to IDMerit’s identity verification service.
• November 12, 2025: Researchers contact IDMerit, and the company restricts access later that day; exposure length before discovery remains unknown.
• February 18, 2026: Cybernews publishes its report, stating about 1 billion of 3 billion records contain sensitive personal data.
• February 19, 2026: Forbes reports the incident, confirming IDMerit secured the database the same day and noting no confirmed malicious access, while warning automated crawlers might have copied data.
• February 20, 2026: Biometric Update publishes analysis, emphasizing over 3 billion total records and roughly 1 billion with sensitive identity data, plus downstream identity theft and SIM swap risks.
• February 18, 2026: Additional outlets such as SC Media, TechRadar, and Tom’s Guide restate record counts and risks, while noting IDMerit has not issued a public statement; a News4Hackers post makes uncorroborated claims about law enforcement and notifications.
• Current Status (as of Feb 22, 2026): The database remains offline, IDMerit has not issued a detailed notice or confirmed exfiltration, regulators have not announced investigations, and no public lawsuits have been filed.

Company Response And Customer Remediation

Public reporting said IDMerit restricted access after notification on November 12, 2025, while detailed public disclosure and consumer remediation steps have remained limited. In a statement, an IDMERIT spokesperson said the following:

“IDMERIT is a software-as-a-service company that provides identity verification technology. We own and operate our proprietary platform, but we do not own, control or store customer data or the underlying data maintained by independent data sources. Our platform connects to authorized data sources globally to verify individual identities on behalf of our customers.

On November 11, IDMERIT was made aware by an ethical hacker that certain data ports associated with independent data sources could have been open, which had the potential to expose certain databases. Upon receiving this notification, we immediately conducted a thorough review of our software, security controls, configurations and system logs. That review found no exposure, vulnerability or unauthorized access within the IDMERIT environment. IDMERIT’s systems and security infrastructure have never been compromised.

At the same time, we notified all relevant data source partners and worked with them to assess the matter. Our partners conducted their own internal investigations and confirmed that there has never been a data breach or exfiltration from their systems during, before or after this event. We requested a security incident report from the ethical hackers as proof, and the response was a demand for money for the report, which confirmed our suspicion that this was a ransom-related incident.

Based on our internal review and confirmations from our partners, we have no indication that any customer data has been compromised. We continue to maintain strong security safeguards on our systems and are taking these accusations very seriously as we continue to investigate this matter in coordination with our partners.”

General consumer steps remain relevant for large identity data exposures, even when exfiltration is unconfirmed, and recommended actions include credit monitoring, stronger multifactor authentication that does not rely on SMS, and skepticism toward unsolicited messages that reference personal details.

What Data Or Systems Were Affected

The exposed MongoDB instance held multiple collections of IDMerit’s KYC data. Cybernews and other reports state that the database contained:

• Full names, residential addresses and postal codes.
  
• Dates of birth and national identity numbers, including social security or equivalent identifiers.
  
• Telephone numbers, genders and email addresses.
  
• Telco metadata, such as mobile network information, which could facilitate SIM‑swap attacks.
  
• Breach status and social‑profile annotations, possibly indicating whether individuals had appeared in earlier breaches.
  

The trove covered individuals from at least 26 countries, with the United States accounting for over 203 million records. Mexico (124 million), the Philippines (72 million), Germany (61 million), Italy (53 million) and France (53 million) were also heavily represented. Researchers estimate that about one billion records contained sensitive personal information, while the remaining two billion may have been log files or metadata.

Who Was Responsible (Confirmed Vs Alleged)

Cybernews attributed the exposed server to IDMerit, an AI‑driven identity‑verification provider based in California. The company offers KYC and anti‑money‑laundering screening tools for banks, fintech firms, telecoms and other regulated sectors. IDMerit has not publicly acknowledged the incident or explained how the database came to be left without authentication. 

There is no evidence linking the exposure to a malicious actor; all available sources describe it as an inadvertent misconfiguration. News4Hackers claims that IDMerit is working with law enforcement and notifying affected individuals, but this assertion has not been confirmed by the company or regulators. No ransomware group has taken credit, and no criminal organisation has been identified as exploiting the dataset.

How The Attack Worked

This incident was not a hack in the traditional sense; it was a misconfigured cloud database. According to Cybernews, the researchers discovered that an entire MongoDB instance containing multiple databases was exposed to the public Internet without password protection. Anyone with knowledge of the IP address could query the database and download the data. 

Such misconfigurations often occur when engineers deploy testing environments or backups without enforcing proper authentication. There is no evidence that threat actors exploited a software vulnerability; the risk stemmed from the server being accessible via the Internet. Once notified, IDMerit restricted access, suggesting that the company had control of the infrastructure and that the issue was configuration rather than compromise.

Impact and Risks for Customers

Although the incident did not involve direct theft of funds, the exposure of one billion sensitive records creates serious risks:

• Identity theft and account takeover: Attackers armed with full names, dates of birth, and national ID numbers can impersonate victims to open fraudulent accounts or hijack existing ones.
  
• Targeted phishing and social engineering: Detailed personal data allows criminals to craft convincing emails, texts or phone calls referencing accurate personal details.
  
• SIM‑swap fraud: Telco metadata and phone numbers increase the risk of criminals taking over victims’ phone numbers to intercept authentication codes.
  
• Long‑tail privacy harms: Because KYC data remains valid for years, individuals may face repercussions long after the exposure. Fraudsters may reuse such data in multiple schemes, and victims may not be aware until they notice credit‑report anomalies.
  

Unlike traditional breaches that affect one company’s customers, this leak aggregates data from multiple businesses across industries. Individuals may never have interacted directly with IDMerit, making it harder to identify that they are at risk.

Company Response and Customer Remediation

IDMerit has not issued a detailed public statement about the incident. Cybernews and Forbes both report that the company quickly restricted access to the database after being notified on November 12, 2025. There are no public announcements of credit‑monitoring services or customer notification campaigns. 

News4Hackers’ report alleges that IDMerit has launched an investigation, is notifying affected individuals and is cooperating with law enforcement, but this has not been corroborated by other sources. Because the data belonged to IDMerit’s clients rather than its own direct customers, remediation may depend on those clients’ responses. 

Security experts recommend that individuals monitor their credit reports, enable multi‑factor authentication using hardware or authenticator apps rather than SMS, and be wary of unsolicited communications referencing personal information.

Government, Law Enforcement, and Regulator Actions

As of February 22, 2026, there are no public statements from the U.S. Federal Trade Commission, state attorneys general, or European data‑protection authorities about investigations into the IDMerit leak. There have been no reports of fines or enforcement actions. 

The lack of regulatory response may reflect the fact that the database was secured before the incident became widely known, or it may suggest that investigations are ongoing but not yet public. News4Hackers claims IDMerit is working with law enforcement, but no agency has confirmed involvement.

Financial, Legal, and Business Impact

IDMerit is a relatively small private company with roughly 25–50 employees and annual revenues of about US$2.9 million. Its clients include banks, telecoms and fintech firms that rely on KYC services to meet regulatory obligations. 

There have been no reports of class‑action lawsuits or regulatory fines related to the leak. However, the exposure could lead to litigation from businesses that used IDMerit’s services, especially if their customers suffer identity theft. 

The incident may damage IDMerit’s reputation and future client acquisition. Analysts warn that the breach underscores the systemic risk posed by third‑party identity‑verification vendors; a single misconfigured server can expose personal data from millions of people across multiple industries.

What Remains Unclear About the Incident

Several aspects of the IDMerit leak are still uncertain:

• Exposure duration: Researchers discovered the database on November 11, 2025, but the server may have been publicly accessible for months or longer. IDMerit has not disclosed when the database was initially deployed or when the misconfiguration occurred.
  
• Extent of unauthorized access: There is no conclusive evidence that threat actors copied the data, but the open database could have been scraped by automated bots. Without forensic logs, it may be impossible to know whether criminals obtained the data.
  
• Confirmation of impacted individuals: With three billion total records and duplicates, the number of unique individuals affected remains uncertain. Estimates suggest about one billion unique identity profiles.
  
• Company notification and remediation: IDMerit has not stated whether it has notified regulators or clients, offered credit monitoring, or taken steps to improve security beyond closing the exposed database.
  

Why This Incident Matters

The IDMerit leak is one of the largest known exposures of identity‑verification data. While there have been bigger dumps of breached credentials, this trove contained structured KYC data—complete identity profiles used by banks and telecoms to verify customers. 

The incident highlights how third‑party vendors can become single points of failure for multiple industries. It also shows that misconfigured cloud services, rather than sophisticated hacks, continue to be a primary cause of mass data exposures. 

Regulators and companies may use this incident to push for stricter vendor‑risk management, mandatory security audits for KYC providers, and more transparent disclosure practices. For individuals, the leak underscores the importance of vigilant account monitoring and the use of strong, multi‑factor authentication.

How Bright Defense Pen‑Testing and Continuous Compliance Could Prevent Similar Exposures

Bright Defense offers penetration testing and continuous compliance services that help organizations prevent misconfiguration driven leaks like the IDMerit incident. Penetration testing simulates attacker behavior to spot exposed databases and misconfigured cloud services, which can surface an open MongoDB instance before researchers or attackers find it. 

Continuous compliance monitoring checks cloud settings against common standards and alerts when authentication controls are disabled. Vendor risk support helps teams set security audit requirements and clear breach notification and remediation obligations for third parties.

FAQ

Sources

• Cybernews — IDMerit data breach: 1 billion records of personal data exposed in KYC data leak (February 18–19, 2026).
  https://cybernews.com/security/global-data-leak-exposes-billion-records/
  
  
• Forbes — New AI Data Leak Alert—1 Billion IDs, Emails and Phone Numbers Exposed (February 19, 2026).
  https://www.forbes.com/sites/daveywinder/2026/02/19/new-ai-data-leak-alert-1-billion-ids-emails-and-phone-numbers-exposed/
  
• Biometric Update — One billion identity records exposed in unsecured ID verification database (February 20, 2026).
  https://www.biometricupdate.com/202602/one-billion-identity-records-exposed-in-unsecured-id-verification-database
  
• SC Media — Billions of records exposed by unsecured IDMerit database (February 18, 2026).
  https://www.scworld.com/brief/billions-of-records-exposed-by-unsecured-idmerit-database
  
• TechRadar — Massive global data breach sees over a billion records exposed (February 19, 2026).
  https://www.techradar.com/pro/security/massive-global-data-breach-sees-over-a-billion-records-exposed-heres-what-we-know-so-far
  
• Happier IT — IDMerit Data Breach Exposes Over One Billion Records Globally (February 19, 2026).
  https://www.happierit.com/recent-breaches/idmerit-data-breach-one-billion-records-exposed/
  
• Tech Digest — Global data leak exposes a billion personal records (February 18, 2026).
  https://www.techdigest.tv/2026/02/global-data-leak-exposes-a-billion-personal-records.html
  
• News4Hackers — IDMerit Data Breach: Billions of Records Exposed in Massive Cybersecurity Incident (February 20, 2026).
  https://www.news4hackers.com/idmerit-data-breach-billions-of-records-exposed-in-massive-cybersecurity-incident/
  
• Tom’s Guide — 1 billion personal records exposed in massive new data leak (February 20, 2026).
  https://www.tomsguide.com/computing/online-security/1-billion-personal-records-from-26-countries-exposed-in-massive-new-data-leak-how-to-stay-safe