Massive IDMerit Breach Investigated
A potentially massive data breach at IDMerit, which could involve billions of identity records, has been referred to the UK's Information Commissioner's Office (ICO) for assessment. The scale of the reported theft suggests a significant compromise of sensitive personal information.
The breach originated from an unsecured MongoDB database, a common but critical misconfiguration that left nearly a terabyte of data publicly accessible without a password. Researchers at Cybernews discovered the exposed instance on November 11, 2025, and IDMerit secured it the following day after being notified. The exposed data contained sensitive Know Your Customer (KYC) information used for identity verification by financial institutions and other services. This included full names, addresses, dates of birth, national ID numbers, phone numbers, and email addresses for individuals across 26 countries. The United States had the most significant exposure with over 203 million records compromised. Other heavily impacted countries include Mexico with 124 million records, the Philippines with 72 million, and several European nations with tens of millions of records each. While IDMerit secured the database promptly, the total duration of the exposure remains unknown, leaving open the possibility that automated crawlers or malicious actors could have copied the data before it was found by researchers. IDMerit has stated that an internal review found no evidence of customer data being compromised and suggested the disclosure was part of a ransom-related incident. This incident highlights the significant risks associated with third-party identity verification services and how a single point of failure can have global consequences. The structured nature of the KYC data makes it particularly valuable for criminals to carry out sophisticated identity theft, account takeovers, and SIM swap attacks.
