3 Billion Records Exposed: The IDMerit Mega-Leak and the Death of "Identity Trust"

In a year already plagued by massive breaches, yesterday marked a catastrophic milestone. IDMerit, a global provider of AI-powered identity verification solutions, inadvertently left the "master key" to billions of digital identities wide open on the public internet.

The irony is thick: a company whose entire mission is to verify and protect identity has become the source of one of the largest identity exposures in history.

The Vulnerability: 1 Terabyte of Open Data

Cybersecurity researchers discovered an unsecured MongoDB database belonging to IDMerit that required no password or authentication to access. Inside was a staggering 1 terabyte of data containing over 3 billion records.

What was leaked?

This wasn't just a list of emails. The exposed trove contained high-value Know Your Customer (KYC) data, including:

  • Full Names and Birthdates
  • National ID Numbers (SSNs, Passport details)
  • Genders and Physical Addresses
  • Phone Numbers and Email Addresses
  • Telco Metadata and Social Profile Annotations

The Global Impact

While the database contained 3 billion entries, researchers believe approximately 1 billion are unique, sensitive personal profiles. The data spans 26 countries, making it a global goldmine for threat actors:

  • United States: 203 million records
  • Mexico: 124 million records
  • Philippines: 72 million records
  • Vietnam: 21 million records

Why This is a "Single Point of Failure"

Industry experts are calling this a "catastrophic failure of third-party infrastructure." Because IDMerit provides identity services to fintechs and financial institutions, a breach here acts as a "skeleton key" for attackers.

With this data, hackers don't need to "guess" your security questions—they already have the answers. This enables:

  1. Synthetic Identity Fraud: Creating entire new personas using real stolen SSNs.
  2. Account Takeover (ATO): Impersonating users to bypass bank security protocols.
  3. Advanced Phishing: Using telco metadata and social profiles to craft perfect, unmaskable scams.

The Hacklido Takeaway

For the researchers and red-teamers at Hacklido, this is a grim reminder that AI-driven security is only as strong as its data hygiene. You can have the most advanced AI verification engine in the world, but if your backend MongoDB is "public," the AI is just helping the hackers organize their loot.

Immediate Steps for Organizations:

  • Audit Third-Party Risks: If your app uses an external identity verification API, audit their data retention and security policies today.
  • Assume Compromise: With 1 billion unique IDs in the wild, assume your users' PII is already public. Shift to hardware-based MFA (FIDO2) that doesn't rely on personal info.

Stay ahead. Stay dangerous.

Team Hacklido ❤️

Join our Community – https://t.me/hacklido