by David Lindfield
An estimated one billion sensitive identity records may have been exposed after a major OD verification company left a massive global database unsecured online, according to cybersecurity researchers.
The exposed records reportedly include personal details such as names, home addresses, dates of birth, phone numbers, national identification numbers, and other sensitive information commonly used to verify a person’s identity.
Researchers say the database was tied to IDMerit, a company that provides online identity verification services to financial institutions and technology firms.
Researchers Discover Unprotected Database
Cybersecurity researchers at Cybernews discovered the exposed MongoDB database on Nov. 11, 2025.
According to the researchers, the database was not protected by a password, meaning anyone who knew where to look could access it.
Inside the database were records containing full names, addresses, postal codes, dates of birth, national ID numbers, phone numbers, email addresses, and gender information.
Some entries also contained telecom-related metadata and internal system flags that may have referenced previous data incidents.
IDMerit provides identity verification services used by banks, fintech companies, and other financial institutions to perform Know Your Customer (KYC) checks, the process used to verify a customer’s identity when opening financial accounts.
Hundreds of Millions of U.S. Records Exposed
The exposure affected individuals in 26 countries.
Researchers estimate that more than 203 million records tied to people in the United States were left unsecured.