A major cybersecurity incident has raised concerns about the safety of personal data after researchers discovered a massive database containing sensitive identity records exposed on the open internet. The database, which reportedly held close to one billion records, included personal information used by financial institutions and digital platforms to verify the identities of their users.

The dataset is believed to be associated with IDMerit, a company that provides digital identity verification technology to banks, fintech platforms and other organizations that need to confirm the identity of customers during account registrations or financial transactions.

The exposure was first identified by cybersecurity researchers at Cybernews on November 11, 2025. According to their findings, the information was stored in a MongoDB database that was publicly accessible and lacked even the most basic form of security protection — a password.

Because the database was open, anyone who discovered its location online could potentially view the information stored inside. Researchers say the records included data from individuals across 26 countries, significantly expanding the scale of the potential privacy risk.

Hundreds of Millions of Records From the United States

Among the countries affected, the United States accounted for the largest share of exposed records. Researchers estimate that more than 203 million records tied to U.S. residents were included in the database.

The information reportedly contained detailed personal data that is typically used during identity verification checks. These details included full names, residential addresses, postal codes, dates of birth, national identification numbers, email addresses, phone numbers and gender information.

In addition to these basic identifiers, some entries also included technical metadata to telecommunications systems and internal data flags. Researchers believe that some of these markers may have been used internally to categorize records or reference previous security incidents.

Beyond the United States, the exposure also affected people in several other countries. Large numbers of records were reportedly linked to Mexico, the Philippines, Germany, Italy and France.

The discovery has drawn significant attention because identity verification systems typically store the exact information that individuals submit when they open bank accounts, create financial service profiles or register for cryptocurrency platforms.

Lack of Security Protection Allowed Open Access

What makes the incident particularly concerning is the absence of basic security safeguards protecting the database.

According to researchers, the MongoDB server was not configured with authentication requirements, meaning the system did not require a username or password to access the stored information. As a result, anyone who located the database’s internet address could view the data without restrictions.

After the vulnerability was discovered, researchers contacted the company believed to be connected to the dataset. The database was reportedly secured within a day after the notification.

However, cybersecurity specialists warn that unsecured databases can be extremely vulnerable during even short exposure periods. Automated scanning tools frequently search the internet for misconfigured servers and exposed data repositories.

These automated bots can detect open databases and download their contents within minutes, making it difficult to determine whether unauthorized parties may have copied the information before the issue was resolved.

At present, researchers say there is no confirmed evidence indicating that cybercriminals accessed or downloaded the exposed records.