1 Billion Personal Data Leak: What Happened?

Data leaks don’t seem like a big deal to some people, especially those who think they won’t be affected. But how would you feel if we told you that everyone can be affected by a data leak, and that the chances of your data being compromised are higher than you think?

Researchers discovered an IDMerit database left unprotected and without a password requirement. This compromised billions of records, encompassing 26 countries, putting people at risk of SIM swapping, credit fraud, and targeted phishing.

Based on a report from Market.us, there were about 15 billion stolen account credentials found on the dark web in 2022. And today, another data leak just exposed the personal data of billions of people from various countries. And chances are that you’ve been exposed, too.

The data leak involves IDMerit.

IDMerit is a company that offers AI-powered identity verification. It also provides other solutions, such as Anti-Money Laundering (AML) and Know Your Customer (KYC). The company covers over 180 countries, including the U.S., Canada, Mexico, Germany, Italy, China, Japan, and more.

IDMerit’s verification encompasses national ID cards, driving licenses, and passports. Plus, they work with various industries and regulated sectors, including banking and fintech.

With how big this company is, you can only imagine how sizable the damage will be if a data leak happens, which did happen.

The exposure was first discovered by Cybernews researchers on November 11, 2025. Specifically, the researchers found a completely open MongoDB database linked to IDMerit. This means that the database didn’t require passwords and was accessible from the internet. Anyone with the link could access, download, or even delete the data.

On November 12, 2025, Cybernews researchers notified the company. Then, IDMerit had restricted the database. But it was unclear how long the database had been left unprotected before the discovery. It could have been exposed for weeks, months, or even a year before the researchers discovered the breach.

Then, on February 18, 2026 (99 days later), Cybernews publicized its discovery and investigation. And after the publication, IDMerit reached out to Cybernews, claiming that it doesn’t own, store, or control data of its customers or those that are managed by independent sources. Plus, IDMerit claimed that it had reviewed its systems, software, and security and that they did not identify any exposure, unauthorized access, or vulnerability. A spokesperson even said: “IDMerit’s systems have never been compromised…. No indication that any customer data has been compromised.”

IDMerit reassures that it sustains “robust security”, and “takes accusations very seriously.”

According to Cybernews researchers, the data leak compromised personally identifiable information (PII) and national identification documents from 26 countries. Of the 3 billion exposed records, the affected pieces of information include:

Since IDMerit operates on a global scale, the exposed data includes records from various countries, including:

With the scale of this data leak, the chances of you being one of the affected are high. And when your information is exposed, you’ll be vulnerable to various leaks, such as follows:

• Risk No. 1: Targeted Phishing: With your email address exposed, scammers will be able to contact you and send you phishing emails. What’s worse, with other details about you, they can make their messages more personalized or contextualized. For example, if they find out about which bank you use, they can make you believe that the email is from your bank.
  
• Risk No. 2: Credit Fraud: Fraudsters can also use your leaked information. For instance, with your credit card number or account details, they’ll be able to access your accounts, allowing them to withdraw, make purchases, and even open new accounts under your name.
  
• Risk No. 3: SIM Swapping: With your phone number and name, scammers can call your phone company, convince them that it’s you, and persuade them into transferring your phone number to a new SIM card that they control. This is called a SIM swap. Once scammers have control over your number, they’ll be able to receive your calls, texts, and even one-time passwords (OTP) that will give them access to your accounts.

These are just 3 of the many risks of having your information exposed online. You can visit “Scam-Savvy: How to Protect Yourself and Spot a Scam” to know more about 90+ scams that can happen to anyone with exposed personal data.

While it’s not your responsibility to stop data leaks (it’s for companies that collect your data to bear), there are still things you should do to reduce the chances of exposure and minimize the impact.

The less personal data you have out there, the lower the chances are of you being affected. So, protect your data. This means avoiding oversharing on social media, keeping your accounts private, and opting out of data brokers (companies that quietly collect and sell personal information).

After a data leak, you should freeze your credit by contacting the major credit bureaus. This is important because even though your data was leaked, bad actors won’t be able to use it to damage your credit. This will prevent them from opening accounts or taking out loans under your name.

Ensure that you’re using two-factor authentication (2FA). This is because even if your data was leaked, scammers won’t get access to your accounts without the 2FA code. We recommend using an authenticator app to avoid SIM swap attacks that use 2FA codes sent via SMS.

Data leaks like this are really concerning. And if you have the mentality that you’re safe, think about the scale of this IDMerit data leak. Think about how many companies are collecting your data. Think about the fact that these companies can get hacked any minute, compromising the information they have on you.

The best thing you can do is to prepare by protecting your data and turning 2FA on. As the saying goes, “Prevention is better than cure.”

As of January 2026, the U.S. has recorded over 30,000 cyber incidents, which is the highest record globally. This record can be attributed to the country’s strict reporting system and broad attack surface.

The countries that are the most prepared in cybersecurity include: 1) the Czech Republic, 2) Canada, 3) Estonia, 4) Finland, 5) Moldova, 6) Belgium, 7) Hungary, and 8) Romania.