Cyber Incident Victim: IDMerit
Date:
Nov 2025
Location:
United States of America
Summary
IDMerit left a MongoDB database without a password, exposing roughly one billion identity records that included names, home addresses, dates of birth, national ID numbers, phone numbers, email addresses, gender information and some telecom metadata across 26 countries, with over 203 million records from the United States. Researchers discovered the exposure, notified the company and the database was secured the next day; there is no public evidence that the data was downloaded by criminals. The company stated it does not store customer data and said its review found no vulnerability in its own systems, while its data source partners confirmed no breach on their sides.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 0 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On November 11, 2025, researchers from Cybernews discovered an unprotected MongoDB database that was linked to IDMerit, a global identity verification provider. The database lacked any password protection, allowing anyone who knew its location to access its contents. Inside the database were approximately one billion records containing personal data such as full names, home addresses, dates of birth, national identification numbers, phone numbers, email addresses, and gender information, with some records also holding telecom‑related metadata and internal flags. The exposure spanned 26 countries, with the United States accounting for more than 203 million records, while Mexico, the Philippines, Germany, Italy, and France also showed high volumes of exposed data. The researchers promptly notified IDMerit of the finding, and the company reported that the database was secured the following day.
IDMerit’s spokesperson stated that the company does not own or store customer data, explaining that its platform connects to authorized data sources to perform verification services. Upon receiving the alert from an ethical hacker on November 11, IDMerit conducted an internal review of its software, security controls, configurations, and system logs, which revealed no exposure, vulnerability, or unauthorized access within its own environment. The company then informed all relevant data source partners, who carried out their own investigations and confirmed that no breach or exfiltration had occurred from their systems before, during, or after the incident. IDMerit requested a security incident report from the ethical hackers as proof, but the response was a demand for money, leading the company to suspect a ransom‑related motive. Based on its internal review and the partners’ confirmations, IDMerit asserted that there was no indication that any customer data had been compromised.
The exposed data included the types of information typically used for identity verification, such as government‑issued IDs and personal details that could enable attackers to attempt SIM‑swap attacks, intercept security codes, or craft targeted phishing scams using legitimate‑looking personal data. Although there was no public evidence that criminals had downloaded the database, researchers noted that automated bots constantly scan the internet for unprotected stores and could copy the data within minutes if they discovered it. The incident highlighted the reliance of banks, fintech firms, and other financial services on third‑party verification providers and demonstrated how a single unsecured database can affect millions of individuals across multiple jurisdictions. IDMerit said it continues to maintain robust security safeguards and is treating the allegations seriously while coordinating with its partners to investigate further.