A massive unsecured database linked to an identity‑verification and fraud‑prevention company called IDMerit was discovered publicly accessible online, exposing over 3 billion records and potentially more than 1 billion personal data entries containing full names, addresses, dates of birth, phone numbers, email addresses, national IDs and other sensitive information. Cybersecurity researchers found the open database and notified the company, which then secured it, but the sheer scale - with affected individuals from at least 26 countries, including the US, Mexico, the Philippines, Germany, Italy, and France - raises serious concerns about identity theft, phishing attacks, SIM swap fraud and other abuses.

The breach appears to result from a misconfigured database rather than a direct hack, highlighting the vulnerabilities of third‑party data providers that serve as critical infrastructure for online services. Experts warn that even if there’s no evidence of malicious exploitation yet, such exposed personal records could be scanned and harvested quickly by attackers, underscoring the need for stronger data security practices and vigilance by individuals who may be affected.