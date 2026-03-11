NEW You can now listen to Fox News articles!

Things like your name, home address, date of birth and even your Social Security number may have been sitting on the open internet. Researchers say an unprotected database tied to IDMerit, a company that claims to help businesses verify identities, exposed roughly 1 billion sensitive records across 26 countries.

In the United States alone, more than 203 million records were left unsecured. This involves the exact documents and details companies use to confirm you are really you. If criminals get that kind of information, they'd have everything they need.

What you need to know about the massive data leak

Researchers at Cybernews, a cybersecurity news and research publication, discovered an exposed MongoDB database on Nov. 11, 2025, that they believe belongs to IDMerit, a global identity verification provider that serves banks, fintech firms and other financial services companies. IDMerit uses artificial intelligence tools to help businesses perform KYC, short for Know Your Customer, which is the identity verification process required when you open financial accounts.

The database was not protected by a password. Anyone who knew where to look could access it. Inside were full names, home addresses, postal codes, dates of birth, national ID numbers, phone numbers, email addresses and gender information. Some records also included telecom-related metadata and internal flags that may have referenced past breaches.

The exposure affected people in 26 countries. The United States had the highest number of exposed records at more than 203 million. Mexico, the Philippines, Germany, Italy and France were also heavily impacted.

Researchers notified the company, and the database was secured the following day. There is currently no public evidence that criminals downloaded the data. Still, it's worth noting that automated bots constantly scan the internet for exposed databases and can copy them within minutes.

How it happened and why it matters for you

When you open a bank account, sign up for a crypto platform, or verify your identity for a financial app, you are often asked to upload a government ID and provide personal details. Companies like IDMerit process that information behind the scenes. That means this database likely contained the same details you would use to prove your identity to a bank or government agency.

For criminals, that is gold. With your full name, date of birth, national ID and phone number, scammers can attempt SIM-swap attacks. This is when someone convinces your mobile carrier to transfer your phone number to their device. Once they control your number, they can intercept security codes sent by text message and break into your bank or email accounts. They can also launch highly targeted phishing scams. Imagine receiving a call or email that includes your real home address and ID number. It would feel legitimate, and that's exactly the point.

Because the data was neatly organized, criminals could sort it by country or other details and use automated tools to target huge numbers of people with scams.

We reached out to IDMerit for comment, but did not hear back before our deadline.

8 ways you can protect yourself from data leaks

Before criminals have a chance to use this information against you, here are practical steps you can take right now to lock things down and reduce your risk.

1) Freeze your credit reports

Contact the major credit bureaus in your country and place a credit freeze. This prevents criminals from opening loans or credit cards in your name. Even if someone has your national ID and date of birth, lenders will not be able to access your credit file without your permission.

2) Stop relying on text message security codes

If your bank or email account still uses SMS codes for two-factor authentication, switch to an authenticator app instead. Text messages can be intercepted during SIM-swap attacks. An authenticator app generates codes directly on your device, making it much harder for criminals to break in.

3) Use a password manager

If attackers pair leaked identity data with passwords from older breaches, they can try to access your accounts. A password manager creates strong, unique passwords for every account, so one leak does not unlock everything else.

A password manager creates strong, unique passwords for every account, so one leak does not unlock everything else.

4) Consider identity theft protection

Identity theft monitoring services can alert you if your personal information is used to open accounts or appears on dark web marketplaces. Early detection can mean the difference between stopping fraud quickly and discovering it months later.

5) Watch your mobile account closely

Log in to your mobile carrier account and enable extra security features, such as a port-out PIN if available. This adds an additional layer of protection so someone cannot easily move your phone number to another SIM card.

6) Run antivirus software on your devices

Good antivirus software can block malicious links, fake login pages and spyware that may be used in follow-up attacks. After a large data exposure, phishing campaigns often spike, and having protection in place can stop you from clicking into trouble.

7) Consider a personal data removal service

Your personal information is often scattered across data broker sites and people-search databases that sell access to your details. A personal data removal service can monitor where your information appears online and work to get it taken down. This reduces the amount of data criminals can find about you in one place, making it harder for them to piece together your identity and target you with scams or fraud.

8) Be skeptical of calls that know too much

If someone contacts you and references your address, date of birth, or ID number, do not assume they are legitimate. Hang up and call the official number listed on the company's website. Criminals use real data to make fake stories sound convincing.

Kurt's key takeaway

This incident exposes a larger problem. Companies that handle identity verification have become critical infrastructure for the digital economy. When one of them leaves a database open, the fallout spreads across countries and millions of ordinary people who never even heard of the company. You trusted a bank or app with your ID. That bank trusted a third party. Somewhere in that chain, basic security controls failed.

Should companies that handle identity verification face automatic penalties when they expose millions of people's most sensitive data? Let us know by writing to us at Cyberguy.com.

