March 12, 2026
ID check or ID wreck?
1B identity records exposed in ID verification data leak
‘Know Your Customer’ or ‘Kill Your Customer’? Users roast GDPR, execs, and mystery data hoarders
TLDR: A database tied to IDMerit reportedly exposed up to 1 billion identity records before it was locked, raising scam fears. Commenters roast KYC, slam GDPR cookie pop‑ups, and demand to know where the data came from, while skeptics point out the report hasn’t been widely confirmed.
The internet’s worst nightmare just got a new season: researchers say a database tied to IDMerit left up to 1 billion identity records in 26 countries sitting on the open web with no password. Cue the comments section going nuclear. The top meme? “KYC = Kill Your Customer” — a spicy swipe at those “Know Your Customer” ID checks banks and apps force on everyone.
The crowd split into two loud camps. One side is torching “privacy theater,” with jokes that GDPR — Europe’s big privacy law — did nothing but invent the endless cookie pop-up. Another faction is straight-up suspicious: “Where did IDMerit even get this much data?” they ask, side-eyeing the company’s statement that it “doesn’t store customer data” and only connects to “authorized sources.” It didn’t help that one commenter bet Vegas money that company execs’ own data is somehow never in these leaks. Ouch.
Meanwhile, skeptics note the Cybernews report is weeks old and say they haven’t seen wider confirmation, even as edits have added details. What’s not debated: the stakes. The exposed records allegedly included names, addresses, birthdays, and national IDs — the exact ingredients scammers need for SIM-swap takeovers and creepy, hyper-real phishing. Panic, rage, and “show me proof” energy all collide here — and no one’s laughing about KYC anymore.
Key Points
- •Cybernews researchers found an unprotected MongoDB database believed tied to IDMerit, exposing about 1 billion identity records from 26 countries.
- •Over 203 million records in the United States were accessible; Mexico, the Philippines, Germany, Italy and France were also heavily impacted.
- •Exposed data included names, addresses, dates of birth, national ID numbers, phone numbers, emails and gender; some records had telecom metadata and internal breach-related flags.
- •Researchers notified the company, and the database was secured the next day; there is no public evidence of criminal exfiltration, though automated bots could have copied it quickly.
- •IDMerit said it is a SaaS platform connecting to independent authorized data sources and does not store customer data; it initiated a review after being alerted that certain data ports could have been open.