1 billion personal records in 26 nations just leaked online

Digital ID database found publicly accessible with no security barrier in place

1 billion records leaked online across 26 countries — millions of identities exposed in a massive data mishap. | ©Image Credit: ThisIsEngineering / Pexels
1 billion records leaked online across 26 countries — millions of identities exposed in a massive data mishap. | ©Image Credit: ThisIsEngineering / Pexels

More than 1 billion personal records across 26 countries have been exposed online after a digital identity database was left publicly accessible with no password or security safeguards in place. The leaked data reportedly includes full names, phone numbers, and home addresses tied to individuals in the U.S., Mexico, the Philippines, and beyond. While there is no confirmed evidence yet of criminal misuse, experts warn that the potential fallout could be significant for everyday users. Keep reading to find out what happened, what information may be at ris,k and the steps you can take now to protect yourself.

Table of Contents show

Where did the data leak originate?

Contrary to what you might expect, this global security incident wasn’t the result of a sophisticated midnight heist by elite hackers. There was no breach in the traditional sense; instead, it was a massive data leak caused by a simple, avoidable human error: a digital door left wide open.

Cybersecurity researchers at Cybernews discovered that a massive database, believed to belong to the identity verification firm IDMerit, was sitting on the public web without a single password or encryption barrier to protect it. As a company that provides digital ID solutions for businesses worldwide, IDMerit’s database acted as a central hub for verifying users across dozens of countries. This meant that while people thought they were providing information to various services for security purposes, their most sensitive details were actually being funneled into an unprotected cloud.

Security specialists, such as Cybernews’ very own Jeremiah Fowler, constantly scan the internet for these open vaults to protect the public. Unfortunately, cybercriminals are doing the exact same thing. Cybernews stumbled upon this one-terabyte trove on November 11, 2025, and acted immediately to alert the company, which has since secured the records. However, the window of exposure was long enough to put millions at risk.

As previously mentioned, the scale of this exposure spans 26 nations, but some regions were hit significantly harder than others. The following is the list of affected countries by number of exposed personal records

  1. United States: 204M
  2. Mexico: 123M
  3. Philippines: 72M
  4. Germany: 60M
  5. Italy: 53M
  6. France: 52M
  7. Turkey: 49M
  8. Brazil: 39M
  9. Spain: 31M
  10. Malaysia: 24M
  11. Vietnam: 21M
  12. Argentina: 20M
  13. Colombia: 18M
  14. Peru: 14M
  15. Canada: 12M
  16. Australia: 12M
  17. Greece: 9M
  18. China: 8M
  19. Hong Kong: 8M
  20. UAE: 6M
  21. Norway: 4M
  22. Romania: 4M
  23. Armenia: 2M
  24. Thailand: 2M
  25. Yemen: 2M
  26. Morocco: 1M

What personal information was exposed?

Imagine this database as a giant, unlocked filing cabinet left wide open in the middle of a public park. Because there was no password to act as a lock, anyone—from a curious passerby to a professional criminal—could simply reach in and photocopy everything inside. The sheer depth of the data makes it particularly dangerous, as it includes:

  • Core identity: Full names, genders, and exact dates of birth.
  • Contact and Location: Physical addresses, postal codes, and verified phone numbers.
  • Government records: Sensitive national ID numbers.
  • Digital footprints: Email addresses, telecommunications metadata, and even social media profile annotations.
  • Historical context: “Breach status” markers, which indicate if an individual’s data had already been compromised in previous leaks.

Perhaps the most alarming detail is that the information was highly structured. In the world of data, structure equals speed. While raw, unstructured data is often a messy jumble that requires hours of cleaning, this database was neatly organized and easily searchable. In the wrong hands, this data is a goldmine for malicious actors, enabling them to execute account takeovers, highly targeted phishing campaigns, credit card fraud, SIM swap scams, and even full-blown identity theft.

Steps to safeguard your personal data after a leak

If your information was part of this leak, you might receive a formal notification letter in the mail. If you do, read it carefully. These letters often include a code for a free identity theft protection service. Sign up immediately to let professionals monitor your credit for you.

Even if you don’t get a letter, here is how to stay safe:

1. Watch out for scams

Because hackers now have your real name and address, their fake emails and texts will look very convincing. Never click links in an unexpected text or email. If a “bank” or “government agency” contacts you, hang up and call them back using the official number on their website.

2. Lock your credit

A credit freeze is one of the most effective tools you have. It prevents anyone from opening a new credit card or loan in your name. It’s free to do and can be toggled on or off whenever you need it.

3. Update your security software

Make sure your antivirus software is active and updated on both your computer and phone. Hackers often send “malware” through email attachments that can spy on your screen or steal your passwords.

4. Use identity monitoring services

Consider using a service that scans the dark web for your national id or email. These services alert you the second your personal details show up in a criminal marketplace.

Sources: Cybernews, Tom’s Guide