IDMerit data breach: 1 billion records of personal data exposed in ID verification leak – which no-one except everyone saw coming.

Posted on by

Because IDMerit is an AI-powered KYC (Know Your Customer) provider, the data it collects is incredibly sensitive. The unsecured 1-terabyte database didn’t just leak passwords—it leaked the core personal identifiers used for your financial and digital life. The following structured data was left open for anyone to download:

  • Full names
  • Addresses
  • Post codes
  • Dates of birth
  • National IDs
  • Phone numbers
  • Genders
  • Email addresses
  • Telco metadata
  • Breach status and social profile annotations

The last data point – breach status and social profile annotations – could refer to a database identifier indicating whether the data originated from a data breach or a leaked database. However, at this point, the true meaning of the data point is unclear. The team noted that this specific data point was present only in some regions.

“At this scale, downstream risks include account takeovers, targeted phishing, credit fraud, SIM swaps, and long-tail privacy harms. Industry-wide, the case underlines how third-party identity vendors have become critical infrastructure and can become single points of catastrophic failure,” our team explained.

Who is IDMerit and How Did This Happen?

Our team believes the exposed database belongs to IDMerit, an AI-powered digital identity verification solutions provider. The company serves the fintech and financial services sectors, helping businesses with real-time verification tools. KYC (Know Your Customer) practices are a global norm for users to verify their identities when setting up various accounts.

Our researchers noticed the exposed instance on November 11th, 2025 and immediately contacted the company, which promptly secured the database. While there is no current evidence of malicious misuse, automated crawlers set up by threat actors constantly prowl the web for exposed instances, downloading them almost instantly once they appear.

Global data leak spans multiple countries

What’s most striking about the IDMerit data leak is its scale and global geography, with three billion records spanning over 20 countries. Several databases appeared to contain overlapping slices for the same country. However, our team believes most of the records were unique.

The country with the most exposed records was the United States, having over 203 million records leaked. The US was followed by Mexico (124M) and the Philippines (72M). Behind the first three, we see a trio of European nations: Germany (61M), Italy (53M), and France (53M).

[…]

Source: IDMerit data breach: 1 billion records of personal data exposed in KYC data leak | Cybernews

scary stories which predicted this a long long time coming:

https://www.linkielist.com/?s=age+verification&submit=Search

Robi nEdgar sitting in a chair

Robin Edgar

Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft

 robin@edgarbv.com  https://www.edgarbv.com