One of the largest data leaks in history has just been made public. Identity verification company IDMerit, based in California, left an unprotected MongoDB database exposed containing over 1 billion personal records from citizens across 26 countries. More than 200 million records belong to United States residents.
What data was exposed
The database, weighing over one terabyte, contained extremely sensitive information:
- Full names and dates of birth
- National identity documents (IDs, passports, driver's licenses)
- Postal addresses and zip codes
- Phone numbers and email addresses
- Gender data and telecommunications metadata
- Previous breach status and social profile annotations
How the leak happened
The Cybernews research team discovered the exposed MongoDB instance on November 11, 2025. IDMerit secured the database the following day, but researchers estimate the data was accessible for an undetermined period before discovery.
The report was published on February 18, 2026, bringing the case under public scrutiny. As of now, IDMerit has not issued a detailed statement or confirmed whether the data was exfiltrated by malicious third parties.
What is IDMerit and why they had your data
IDMerit is a Know Your Customer (KYC) identity verification and fraud prevention company. If you ever opened an account on a cryptocurrency exchange, a fintech platform, or any service that asked you to upload a photo of your ID to verify your identity, there is a chance your data passed through a company like IDMerit.
Their clients include financial services companies, crypto exchanges, lending platforms, and telecommunications providers across 26 countries.
How to check if you are affected
While there is no official tool to verify if your data is in this specific leak, you can take these steps:
- Check your email on Have I Been Pwned to see if you appear in recent breaches
- Monitor your credit: if you used KYC services, enable credit alerts
- Change passwords on crypto exchanges and financial services
- Enable two-factor authentication on all possible accounts
- Watch for phishing: with names, emails, and phones exposed, attacks will be more personalized
The real risks
When KYC databases are leaked, attackers can commit:
- Identity theft using real documents
- Credit fraud using verified personal data
- SIM swapping: taking control of your phone number
- Targeted phishing: attacks using real personal information that look legitimate
What comes next
So far, no regulators have announced formal investigations and no public lawsuits have been filed. However, given the magnitude of the leak — potentially affecting hundreds of millions of people — it is only a matter of time before legal consequences materialize. If you have used services requiring KYC verification, stay alert.
