- IDMerit kept an unsecured database of over three billion records
- Experts find database and manage to get it locked down
- Personal info exposed, but affected users may be low in number
Experts have revealed IDMerit, an AI-powered digital identity verification solutions provider, kept an enormous database filled with sensitive customer information unlocked and easily accessible on the public internet.
In total, more than three billion records were discovered by cybersecurity researchers from Cybernews and eventually locked down.
The team said it found an open MongoDB database weighing more than a terabyte, and included records such as full names, addresses, post codes, dates of birth, national IDs, phone numbers, gender, email addresses, telco metadata, and breach status and social profile annotations.
Major breach
The size of the database does not mean three billion people were exposed, since multiple records belong to a single person, but the scale of the leak is still quite massive.
Cybernews says roughly a billion probably contained sensitive data, while the other two are database logs that are “likely less sensitive”.
The database is also global, as individuals from 26 countries had their data exposed, with those in the US being most affected (more than 203 million records). Mexico (124 million), and the Philippines (72 million) round off the top three, with Germany, Italy, and France, making notable appearances, with 61m and 53m records leaked respectively.
“At this scale, downstream risks include account takeovers, targeted phishing, credit fraud, SIM swaps, and long-tail privacy harms. Industry-wide, the case underlines how third-party identity vendors have become critical infrastructure and can become single points of catastrophic failure,” Cybernews said.
Based in California, IDMerit is a global identity-verification and fraud-prevention technology firm that provides API-based solutions for KYC, AML and digital identity verification.
As of 2025 it operates with roughly 25–50 employees and serves a growing global customer base, generating about $2.9 million in annual revenue. The company was founded in 2014 and trades as a privately held US tech provider.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
The post Massive global data breach sees over a billion records exposed – here’s what we know so far first appeared on TechToday.
This post originally appeared on TechToday.