IDMerit
Analysis of the IDMerit KYC data exposure affecting approximately 1 billion identity verification records across 26 countries due to a misconfigured MongoDB database.
Published by the Scrutex.ai Research Team | February 2026
Disclaimer
This advisory is provided for informational and educational purposes only by the Scrutex research team. It is based entirely on publicly available reporting from the sources cited below. Where details are unconfirmed or disputed by the affected organisation, this is noted explicitly. Scrutex does not independently verify internal claims made by affected organisations or threat actors. This advisory should not be interpreted as a confirmed statement of fact regarding any organisation's security posture. Organisations concerned about their own exposure should conduct independent assessments and seek professional legal advice.
At a Glance
Organisation
IDMerit
California-based AI-powered identity verification provider serving fintech companies, banks, and cryptocurrency exchanges across 26 countries.
Sector
Identity Verification / Fintech
Region
Global
Date of Incident
November 11, 2025 (discovery of exposed database)
Date Disclosed
February 18, 2026 (Cybernews publication)
Estimated Impact
Approximately 1 billion records
Data Types Exposed
Full names, addresses, national ID numbers, dates of birth, phone numbers, email addresses, telecom metadata, KYC/AML verification logs
Attack Type
Misconfiguration
Attack Vector
Misconfigured MongoDB database exposed without authentication
Threat Actor
Not applicable (no malicious actor; unprotected database)
Current Status
Database secured on November 12, 2025. No regulatory investigations announced. IDMerit disputes findings.
Severity Assessment
Critical. Approximately one billion identity verification records from 26 countries were exposed without authentication, representing one of the largest KYC data exposures on record.
What Happened
Cybersecurity researchers at Cybernews discovered an unprotected MongoDB database on November 11, 2025, containing approximately one terabyte of data with over 3 billion records, of which roughly 1 billion contained sensitive personal information.
The exposed data was linked to IDMerit, a digital identity verification provider servicing fintech companies, banks, and crypto exchanges. The data included structured KYC records across 26 countries, with the US accounting for over 203 million records.
IDMerit has disputed the findings, stating it does not own, control, or store customer data and that its systems have never been compromised. As of early March 2026, no regulatory investigations have been publicly announced.
Timeline
November 11, 2025
Cybernews researchers discover unprotected MongoDB database containing approximately 1 billion sensitive records
November 12, 2025
Database secured following responsible disclosure
February 18, 2026
Cybernews publishes findings, 99 days after initial discovery
Impact and Risk Assessment
For Affected Individuals
Approximately 1 billion identity verification records were exposed, spanning 26 countries. The US accounted for over 203 million records, Mexico over 120 million, the Philippines 72 million, Germany 61 million, and Italy and France approximately 53 million each.
Exposed data includes full names, national ID numbers, dates of birth, and KYC verification logs, which collectively enable identity theft and fraudulent account creation at scale.
Individuals whose data was used for KYC verification through IDMerit's clients may not be aware their information was exposed, as they had no direct relationship with IDMerit.
For Organisations
Financial institutions, fintech companies, and cryptocurrency exchanges that relied on IDMerit for identity verification may face regulatory scrutiny over their vendor due diligence processes.
Organisations across 26 countries may need to re-verify customer identities if their KYC data was compromised, creating significant operational costs.
The exposure undermines trust in third-party identity verification services, which are foundational to digital onboarding across the financial sector.
Regulatory Context
KYC/AML regulations in multiple jurisdictions require organisations to protect identity verification data. Exposure of this scale may trigger investigations under GDPR (EU), CCPA (California), and equivalent frameworks in the 26 affected countries.
IDMerit's dispute of the findings complicates regulatory response, as the chain of data custody between IDMerit and its clients may be unclear.
What Should You Do?
If You Are a Potentially Affected Individual
If you have completed identity verification through a fintech, banking, or cryptocurrency platform, monitor your accounts and credit reports for signs of identity misuse.
Consider placing a fraud alert or credit freeze with major credit bureaus, particularly if you reside in the US, Mexico, Philippines, Germany, Italy, or France.
Be alert to phishing attempts that may use your personal details to appear legitimate.
If You Are a Security or Risk Professional
Review your organisation's reliance on third-party identity verification providers and assess whether they meet your data protection requirements.
Conduct a vendor risk assessment of any identity verification services in your supply chain, focusing on database security controls and access management.
Implement monitoring for exposed credentials and identity data associated with your customers through breach notification services.
Learnings and Recommendations
This incident highlights that misconfigured databases remain one of the most common and preventable causes of large-scale data exposure. Basic controls like requiring authentication and restricting network access would have prevented this entirely.
Identity verification providers sit at the foundation of the digital trust stack. When their data hygiene fails, the downstream impact is global and affects every organisation that relied on their verification services.
This advisory is provided for informational purposes by the Scrutex.ai research team. It is based on publicly available reporting from the sources cited above. Where details are unconfirmed or disputed, we have noted this accordingly. Scrutex.ai does not independently verify internal claims made by affected organisations. Organisations concerned about their own exposure are encouraged to conduct their own assessments and seek professional advice where needed.
Stay ahead of the next breach
Scrutex monitors dark web sources, breach databases, and threat actor activity continuously, detecting exposure that affects your organisation before it becomes a headline.