Your government ID number just became a fraud tool. IDMerit, an AI-powered identity verification company that processes know-your-customer checks for banks and crypto exchanges, left one billion personal records exposed on the public internet. We’re talking complete identity verification packages—full names, national ID numbers, dates of birth, home addresses, and phone numbers across 26 countries. The kind of structured data that makes impersonating you trivial.
Basic Security Failure With Massive Consequences
A MongoDB database lacked password protection while containing a terabyte of sensitive identity data.
Security researchers at Cybernews discovered the unprotected database on November 11, 2025, but public disclosure didn’t happen until February 18, 2026—a 99-day silence that raises serious accountability questions. The root cause? IDMerit deployed a MongoDB database to the public internet without basic authentication. Any script kiddie with the URL could read, copy, or delete the entire contents. Database security 101 would have prevented this catastrophe.
Why This Data Creates Perfect Storm for Fraud
National ID numbers enable synthetic identity theft that traditional breaches can’t match.
Unlike stolen passwords or credit cards, your national ID number can’t be changed once exposed. Criminals can use this verified identity data for:
- SIM swap attacks
- Targeted phishing that references your real address
- Synthetic identity fraud that bypasses standard security checks
The United States saw 203 million records exposed, followed by Mexico with 124 million. KYC databases are uniquely dangerous because they contain exactly the data points banks use to verify you’re really you.
Pattern of Critical Infrastructure Failures
AU10TIX and Veriff breaches show identity verification vendors have become single points of catastrophic failure.
This marks the third major KYC provider security failure in 18 months. AU10TIX—serving Uber, TikTok, and Bumble—had employee credentials exposed for over a year in June 2024. Veriff’s compromise in December 2025 leaked Total Wireless customer data.
The pattern reveals how third-party identity vendors have become critical infrastructure capable of compromising millions of users simultaneously when basic controls fail. It’s like the digital equivalent of a dam burst affecting everyone downstream.
Immediate Protection and Regulatory Reckoning
Credit freezes and authentication upgrades offer defense while regulators prepare penalties reaching tens of millions.
Place credit freezes with major bureaus immediately—this blocks new accounts even if criminals have your ID number. Switch from SMS two-factor authentication to authenticator apps since your phone number may enable SIM swap attacks.
IDMerit disputes direct responsibility, claiming the data came from “independent sources,” but GDPR penalties can reach €20 million while California’s CCPA threatens $100-750 per affected resident. The company’s 99-day disclosure delay suggests regulatory scrutiny has only begun.
The identity verification industry just proved it can’t secure the data it exists to protect. Your government ID is now in the wild—act accordingly.
