A publicly accessible database tied to identity-verification systems contained roughly one billion records of personally identifiable information, according to security researchers who identified the storage and alerted the operator.
The exposed information included full names, dates of birth, physical addresses, phone numbers and national identity numbers used in routine know-your-customer checks. The discovery and the scale of the dataset were first detailed by security researchers cited in a Cybernews investigation.
The database was identified during internet scans for unprotected services, a routine technique used by cybersecurity researchers to locate misconfigured cloud infrastructure. According to reporting on the discovery, the storage required no authentication and was reachable from the public internet, allowing anyone who located it to read the contents.
The company tied to the database, IDMerit, provides identity and KYC screening services used by banks, financial technology firms and other organizations that rely on third-party verification.
Multiple reports characterize the exposure as spanning 26 countries and affecting hundreds of millions of entries in individual jurisdictions. A technical summary compiled by a consumer technology outlet lists the United States among the most affected countries and describes the incident as an unsecured database rather than a confirmed intrusion. Additional context and country-level reporting were published in coverage by Tom’s Guide examining the scale of the exposed records.
Researchers who reviewed the dataset said it contained several categories of verification metadata in addition to basic identity fields. These included structured KYC verification logs, telecom-related metadata and annotations associated with identity checks. Separate reporting noted that the repository was unusually large—some accounts say it contained more than three billion entries overall, with roughly one billion records holding highly sensitive identity details—and that the stored files exceeded one terabyte in size, according to an independent summary of the findings.
The database was reportedly secured after the exposure was disclosed to the operator. Cybersecurity reporting indicates that researchers notified the responsible party after identifying the repository, after which the storage was restricted. At the time of reporting there was no public confirmation that malicious actors had copied or exploited the information before the database was closed.
The company named in the reports disputed several claims about the incident. In public statements cited in industry coverage, the operator challenged the characterization of the database and questioned whether the exposed records represented active customer data. The company’s response and its disagreement with the researchers’ conclusions were summarized in reporting published by Biometric Update.
Security analysts say the exposure illustrates a broader structural risk in the digital identity ecosystem. Many online services rely on external identity verification providers that collect and store large volumes of personal information during registration and compliance checks.
If those providers misconfigure storage or access controls, the resulting exposure can affect records gathered on behalf of many companies at once. The potential implications of this type of incident have been examined in technical analysis published by TechRadar.
The information contained in the exposed records (names, dates of birth, identity numbers and contact information) represents the type of personal data commonly required for account verification and regulatory compliance checks. Security experts note that datasets containing these fields can be valuable for identity fraud or targeted social engineering because they mirror the information used to validate user identities in financial and telecommunications systems.
Researchers and news outlets that documented the discovery advise individuals to remain attentive to unusual account activity and unexpected verification requests. Organizations that depend on third-party identity verification services are also encouraged to review how vendors store and secure sensitive personal information and ensure appropriate safeguards are in place.
Discover more from Aree Blog
Subscribe now to keep reading and get access to the full archive.
