One Billion Records Exposed When MongoDB Database Found Unsecured
By: Jim Stickley and Tina Davis June 2, 2026
In yet another example of how we are no longer in control of our data once we provide information to another party, a recently discovered unsecured MongoDB database linked to identity verification company IDMerit exposed more than one billion records. Yes, that’s right! One billion! In this case, the records weren’t only for those in the U.S., but included 26 countries. A mere 203 million were from the U.S. The database was reportedly left open on the internet without proper protection, allowing anyone who found it to potentially access the information.
Investigators say the exposed system contained more than three billion records in total, however, only roughly one billion of them holding sensitive personal data.
What information was exposed
The database contained a wide range of personal details collected for identity verification services used by businesses around the world.
Researchers say exposed information included:
Full names
Home addresses
Phone numbers
Email addresses
Dates of birth
National ID numbers
Social profile details and metadata
Because ID verification platforms often work with financial institutions, financial services, and online platforms, this type of data could be valuable for criminals attempting identity theft or phishing attacks.
What do they want with my data?
Exposed identity data can be used for scams, fraudulent account openings, SIM swapping attacks, and other forms of identity fraud.
If your information may have been exposed, a few simple precautions can help reduce the risk:
Change important account passwords and use unique passwords for every site. Include a combination of special characters, letters, and numbers. Don’t use personal data in your passwords. That is becoming easier for attackers to access these days.
Enable multi-factor authentication wherever possible. If you can choose to use a code generator app, a key fob with a changing number, or a hardware key, those are preferred to a one-time text code or email. The latter two are not so difficult for attackers to intercept.
Monitor financial accounts and credit reports for suspicious activity. Contact the financial institution or credit bureau immediately and alert them to discrepancies.
Watch for phishing emails or texts asking for personal information. If you are in doubt, go to the mentioned website using an address you know or have bookmarked. Don’t click links or attachments.
Consider placing a credit freeze or fraud alert with credit bureaus. You can do this at no charge, but you must go to each bureau individually. Keep in mind, you will not have access to your credit report when it’s frozen, but you can unfreeze it temporarily if needed.
If you are offered credit monitoring services, take advantage. Just remember they won’t prevent an account being open with your information. They will just alert you to the fact that it’s being attempted.
Stay alert after big breaches
Large data leaks serve as a reminder that even companies responsible for verifying identities can become targets. Keeping a close eye on your accounts and strengthening your online security habits can make it much harder for criminals to turn exposed data into real-world fraud. Keep those peepers open for any potential phishing attempts with IDMerit as a lure.
IDMerit has stated that it sees no evidence that any of the exposed data was used for evil, but we can never be sure. In any case, they do say the MongoDB database was secured as soon as it was discovered to be open.
SUBSCRIBE TO WEEKLY NEWSLETTER
Massive 700Credit Data Breach Leaves Information of Millions at Risk
