Data leak at digital identity verification provider exposes 1 billion records

A publicly accessible database containing about 1 billion records from 26 countries was recently identified by Cybernews investigators.

The exposed instance appears to belong to IDMerit, an AI-powered digital identity verification provider serving fintech and financial services companies, according to researchers.

This wasn’t a typical breach, where cybercriminals break in. The data was left open and anyone who knew where to look could have stumbled upon this gold mine of data.

Researchers say they identified the unsecured database on November 11, 2025, and immediately notified the company. The database was secured shortly afterward.

At this time, there is no evidence that the data was accessed by threat actors.

What information was included?

The exposed records included a broad range of personally identifiable information (PII) commonly used for identity verification, such as:

• Full names
• Home addresses and postal codes
• Dates of birth
• National identification numbers
• Phone numbers
• Email addresses
• Gender information
• Potential telecom metadata

Because this data is structured and detailed, it can be more easily searched and abused than unstructured datasets.

How many records were exposed by region?

According to available reporting, the breakdown of exposed records by country includes:

• United States: ~204 million
• Mexico: ~123 million
• Philippines: ~72 million
• Germany: ~60 million
• Italy: ~53 million
• France: ~52 million
• Turkey: ~49 million
• Brazil: ~39 million
• Spain: ~31 million
• Malaysia: ~24 million
• Vietnam: ~21 million
• Argentina: ~20 million
• Colombia: ~18 million
• Peru: ~14 million
• Canada: ~12 million
• Australia: ~12 million
• Greece: ~9 million
• China: ~8 million
• Hong Kong: ~8 million
• United Arab Emirates: ~6 million
• Norway: ~4 million
• Romania: ~4 million
• Armenia: ~2 million
• Thailand: ~2 million
• Yemen: ~2 million
• Morocco: ~1 million

Why this matters

Identity-related data like what was exposed here is used in many everyday processes — from opening bank accounts to signing up for telecom services. When this type of data is publicly accessible, it can be repurposed in a variety of ways, including:

• Identity theft
• Account takeovers
• Targeted phishing
• Credit and loan fraud
• SIM-swapping attacks

Because the data contains highly personal details, it doesn’t simply “expire” like a password might. Once exposed, records can circulate in online forums or data marketplaces long after the original exposure is closed off.

What you can do to stay safe from potential misuse

Even if you don’t know whether your specific information was in the exposed dataset, there are steps anyone can take to reduce risk:

Strengthen your account security

Use unique passwords stored in a password manager and enable multi-factor authentication wherever possible. These measures make it harder for attackers to gain access even if they have some of your details.

Stay alert to unusual activity
Monitor your bank statements, credit reports, and account access logs for unexpected behavior. Early detection of unauthorized activity can limit damage. If you’re in the United States, you may want to opt for a credit freeze.

Be wary of phishing attempts
Fraudsters often use personal details to make scam messages look convincing. Treat unsolicited emails or text messages with caution. Use scam-detection tools like Scamio and Link Checker to detect signs of fraud and malware.

Monitor your identity exposure
Because identity data can re-surface long after a leak, ongoing monitoring provides early insight into whether your information appears in new breach datasets.

Tools like Bitdefender Digital Identity Protection continuously scan breach sources and notify you if your personal data is found, so you can act quickly. Regular alerts and recommended steps can help you stay ahead of potential misuse.

By understanding where and how your data might be at risk, you can take practical steps to protect your digital identity.