• Home
  • cyber
  • IDMerit: Data leak at digital identity verification provider exposes 1 billion records
cyber Breach

IDMerit: Data leak at digital identity verification provider exposes 1 billion records

Nov 11, 2025 2 min read
IDMerit: Data leak at digital identity verification provider exposes 1 billion records

Massive IDMerit Database Exposure Leaves 1 Billion Records Unsecured

Cybernews researchers recently uncovered a publicly accessible database containing nearly 1 billion records from 26 countries, linked to IDMerit, an AI-powered digital identity verification provider serving fintech and financial services. The unsecured data was discovered on November 11, 2025, and promptly reported to the company, which secured the database shortly after. There is currently no evidence that threat actors accessed the information.

The exposed records included highly sensitive personally identifiable information (PII), such as:

  • Full names
  • Home addresses and postal codes
  • Dates of birth
  • National identification numbers
  • Phone numbers and email addresses
  • Gender details
  • Potential telecom metadata

The structured nature of the data makes it particularly vulnerable to abuse, as it can be easily searched and exploited.

Breakdown of Exposed Records by Country

The dataset spanned multiple regions, with the highest concentrations in:

  • United States: ~204 million
  • Mexico: ~123 million
  • Philippines: ~72 million
  • Germany: ~60 million
  • Italy: ~53 million
  • France: ~52 million
  • Turkey: ~49 million
  • Brazil: ~39 million
  • Spain: ~31 million
  • Malaysia: ~24 million

Smaller but still significant exposures were recorded in countries like Canada (~12 million), Australia (~12 million), and China (~8 million).

Potential Risks of the Exposure

The leaked data is a prime target for cybercriminals, enabling:

  • Identity theft
  • Account takeovers
  • Targeted phishing attacks
  • Credit and loan fraud
  • SIM-swapping attacks

Unlike passwords, which can be reset, identity-related data remains valuable indefinitely, potentially circulating in underground markets long after the initial exposure.

The incident underscores the risks of improperly secured databases, particularly for companies handling sensitive verification data. While IDMerit acted quickly to contain the breach, the long-term implications for affected individuals remain a concern.

Source: https://www.bitdefender.com/en-us/blog/hotforsecurity/leak-at-digital-identity-verification-provider

IDMERIT cybersecurity rating report: https://www.rankiteo.com/company/idmerit

"id": "IDM1772052223",
"linkid": "idmerit",
"type": "Breach",
"date": "11/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': 'Individuals across 26 countries',
                        'industry': 'Fintech, Digital Identity Verification, '
                                    'Financial Services',
                        'location': 'Global',
                        'name': 'IDMerit',
                        'type': 'Company'}],
 'attack_vector': 'Unsecured Database',
 'data_breach': {'data_exfiltration': 'No evidence of threat actor access',
                 'number_of_records_exposed': '1 billion',
                 'personally_identifiable_information': 'Yes',
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Full names',
                                              'Home addresses and postal codes',
                                              'Dates of birth',
                                              'National identification numbers',
                                              'Phone numbers',
                                              'Email addresses',
                                              'Gender details',
                                              'Telecom metadata']},
 'date_detected': '2025-11-11',
 'description': 'Cybernews researchers uncovered a publicly accessible '
                'database containing nearly 1 billion records from 26 '
                'countries, linked to IDMerit, an AI-powered digital identity '
                'verification provider. The exposed records included highly '
                'sensitive personally identifiable information (PII) such as '
                'full names, home addresses, dates of birth, national '
                'identification numbers, phone numbers, email addresses, and '
                'gender details. The structured nature of the data makes it '
                'particularly vulnerable to abuse.',
 'impact': {'brand_reputation_impact': 'Potential long-term reputational '
                                       'damage',
            'data_compromised': '1 billion records',
            'identity_theft_risk': 'High',
            'systems_affected': 'IDMerit database'},
 'investigation_status': 'Contained, no evidence of threat actor access',
 'lessons_learned': 'The incident underscores the risks of improperly secured '
                    'databases, particularly for companies handling sensitive '
                    'verification data.',
 'post_incident_analysis': {'root_causes': 'Improperly secured database'},
 'references': [{'source': 'Cybernews'}],
 'response': {'containment_measures': 'Database secured shortly after '
                                      'discovery',
              'incident_response_plan_activated': 'Yes'},
 'title': 'Massive IDMerit Database Exposure Leaves 1 Billion Records '
          'Unsecured',
 'type': 'Data Exposure',
 'vulnerability_exploited': 'Improperly secured database'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.