IDMerit, an AI-powered identity verification provider processing know-your-customer (KYC) checks for banks and cryptocurrency exchanges, left a MongoDB database publicly accessible without authentication for 99 days; exposing approximately one billion identity records across 26 countries. Security researchers at Cybernews discovered the unprotected database on November 11, 2025. Public disclosure did not occur until February 18, 2026. There is no confirmed evidence the data was accessed maliciously, but the exposure window and the sensitivity of the data make that assumption indefensible.

What Happened

IDMerit deployed a production MongoDB instance to the public internet without password protection. No authentication. No access controls. Any actor with the database URL could read, copy, or destroy the entire contents; no exploit required.

Cybernews researchers identified the exposure on November 11, 2025 and notified IDMerit. The database was secured, but public disclosure was withheld for 99 days, raising serious accountability questions about breach notification obligations across the 26 affected countries. IDMerit has not publicly detailed what remediation steps were taken, whether affected individuals were notified, or whether forensic review confirmed no unauthorized access during the exposure window.

What Was Taken

The exposed database contained approximately one terabyte of verified identity data; the highest-trust data class that exists, because it was verified:

The United States accounted for 203 million records. Mexico: 124 million. The remaining 24 countries make up the balance. This is not scraped or inferred data; it is identity data that was verified against government sources before being stored.

Why It Matters

KYC providers have become single points of catastrophic failure for the entire financial and crypto ecosystem. IDMerit's clients are banks and exchanges. Those institutions outsourced identity verification to a third party and assumed the data was protected. It was not.

This is the third major KYC vendor breach in 18 months: - AU10TIX (June 2024); employee credentials exposed for over a year; clients included Uber, TikTok, Bumble - Veriff (December 2025); breach leaked Total Wireless customer identity data - IDMerit (November 2025, disclosed February 2026); one billion records, no authentication

The pattern is not coincidence. Identity verification vendors are processing critical infrastructure data with startup-grade security practices. Every downstream client inherits that risk.

National ID numbers are permanently damaging in a way that passwords and credit card numbers are not. You can rotate a password. You cannot change your government ID number. Every record in this database is a permanent fraud vector.

The Attack Technique

There was no attack technique. The database required none.

IDMerit deployed MongoDB to the public internet without enabling authentication; a misconfiguration that violates MongoDB's own default security recommendations (authentication has been required by default since MongoDB 3.6, released in 2017). Any actor who discovered the endpoint via Shodan, Censys, or routine scanning could access the full dataset with a standard MongoDB client.

The 99-day exposure window spans the peak of Q4 2025; a period of elevated threat actor activity targeting financial data. Whether the database was accessed by malicious actors during that window is unknown. IDMerit has not confirmed a forensic review.

What Organizations Should Do

  1. Audit all third-party KYC and identity verification vendors immediately. Request evidence of encryption at rest, access controls, penetration test results, and breach notification procedures. Contractual SLAs mean nothing if the vendor's security posture is not verified independently.

  2. Treat KYC vendor access as critical infrastructure access. Apply the same due diligence to identity verification providers that you apply to core banking infrastructure. They hold the keys to your entire customer identity layer.

  3. Scan your own external attack surface for unauthenticated databases. MongoDB, Elasticsearch, Redis, and CouchDB misconfigurations are routine. Run Shodan or Censys queries against your ASN. Do it quarterly.

  4. Assume IDMerit-verified identities are compromised. If your organization relied on IDMerit for KYC verification, treat those identity records as potentially in adversary hands. Implement step-up verification for high-risk transactions and monitor for synthetic identity fraud patterns.

  5. Review your third-party breach notification SLAs. IDMerit sat on this for 99 days. Your vendor contracts should require notification within 72 hours of discovery; consistent with GDPR Article 33 and equivalent frameworks. If they don't, fix that now.

  6. Flag affected users for enhanced fraud monitoring. US (203M) and Mexico (124M) represent the highest-exposure populations. Financial institutions operating in these markets should elevate fraud detection thresholds for accounts verified through third-party KYC providers in the relevant period.

Sources