A massive global data breach has compromised approximately one billion personal records after an unsecured database was discovered online.
According to research from Cybernews, the exposed data is linked to IDMerit, a prominent AI-powered digital identity verification provider that services the fintech and financial services sectors.
What data has been exposed?
The leak involves an unprotected MongoDB instance containing nearly a terabyte of “Know Your Customer” (KYC) data. KYC records are highly sensitive because they are used by businesses to verify the identities of their users.
This treasure trove of leaked personally identifiable information (PII) includes:
-
Full names and gender
-
Physical addresses and postal codes
-
Dates of birth
-
National identification numbers (IDs)
-
Phone numbers and email addresses
-
Telecom metadata and social profile annotations
Who has been affected?
The breach is truly global in scope, impacting individuals across 26 countries. The Cybernews team found that the United States was hit the hardest, with over 203 million records exposed.
Other heavily affected nations include Mexico (124M), the Philippines (72M), Germany (61M), Italy (53M), and France (53M). Records from China and Brazil were also identified in the dataset.
Researchers warned that the structured nature of this data makes it a “gold mine” for criminals. Because the database contains high-risk identifiers like national IDs and dates of birth, it provides the perfect ingredients for identity theft and sophisticated fraud.
What should you do?
The Cybernews team discovered the leak on November 11th and notified IDMerit, who secured the instance the following day.
While there is no direct evidence that malicious actors accessed the data, the risk remains high as automated crawlers often scrape exposed databases within hours. To protect yourself, experts recommend the following steps:
-
Monitor Your Accounts: Keep a close eye on bank statements and credit reports for any unauthorized activity.
-
Beware of Phishing: Be extremely cautious of unsolicited emails or texts asking for further information, as hackers may use your leaked details to make their “phishing” attempts look legitimate.
-
Enable Two-Factor Authentication (2FA): Secure your accounts with 2FA, ideally using an authenticator app rather than SMS to prevent “SIM-swapping” attacks.
-
Use Identity Protection: Consider using identity theft monitoring services to receive alerts if your PII appears on the dark web.
For more information, here’s the full report: https://cybernews.com/