Almost a month old, original source: https://cybernews.com/security/global-data-leak-exposes-bill...
and I've never seen any confirmation elsewhere
Looks like CyberNews have edited the article with more info since first I saw it, it used to look quite suspicious and untrustworthy, it now has more info. Still doesn't say exactly what a record is, or how many uniques there are.
If I was in Vegas, I would bet my life savings that the CXOs of the said ID Verification company's data isn't included in the leak. This is just like that Mc Donald's CEO's video - they never use what they create.
KYC = Kill Your Customer.
This made me absolutely livid:
> We requested a security incident report from the ethical hackers as proof
So instead of paying him a fair bug bounty, they demand that he write a formal report for them and prove to them that there is even a problem.
Totally unhinged, but it gets worse:
> the response was a demand for money for the report, which confirmed our suspicion that this was a ransom-related incident.
Wow. So when the security researcher informs them that he would be happy to do some consulting work for them and informs them of his rates, they flip out and accuse his initial good samaritan decision to inform the company of the issue of being part of a plot by him to hold the company for ransom?
Whoever thought this is both totally delusional and a complete jerk. Truly, no good deed goes unpunished.
Where the F does IDMerit even get all this data from? They have names, DOBs, addressed, phone numbers, national identity numbers for over a billion people? How?
Remember when you'd get a letter in the mail, "you identity has been compromised, here is a subscription to an identity monitoring service."
The system is broken. We shouldn't be so vulnerable because of foundational infrastructure.
> We own and operate our proprietary platform, but we do not own, control or store customer data or the underlying data maintained by independent data sources.
This seems like a critical sentence. Is this database actually operated by IDMerit, or someone else? If so, who?
Nobody told their marketing department:
https://www.idmerit.com/blog/idmerits-data-breach-fail-safe-...
archived for posterity: https://archive.ph/MdSfO
Unrelated to the story but TIL AOL is still a thing in 2026!
While this leak may or may not have happened, for this type of exposure there should be criminal liability for developers and executives. Criminal negligence and prison time.
every age verification mandate creates another one of these databases. billion records, no password, plain text.
> That review identified no exposure, vulnerability or unauthorized access within the IDMERIT environment
The fact that they didn't vet their data providers then has to be considered a form of negligence. In the end, its the company I am handing over my details to to act responsibly, not their providers.
I hate this responsibility delegating when its not a good luck, and this will continue to get worse now as the entire internet will be ID gated soon. But don't worry, all the lapse in privacy and even security in the name of 'saving the kids'.
aol.com!?!?
Unprotected MongoDB, tables without password, data in plain text. It's a textbook example of doing absolutely everything wrong.
Yet another point of proof that the US needs a HIPAA covering PII.
What did measures like gdpr ever achieve except for making me click a cookie prompt away.
This is actually a Fox News article and as far as I can see it's not corroborated anywhere.
I saw a reddit thread about it earlier where someone said the apparent hacker refused to actually show any of the data and was asking for money. So probably just a scam rather than a real leak.
At this point I get about 1-2 emails a year telling me some company has exposed my private data in some way. It’s completely routine.
We need a law mandating the company pays at least $1k per exposed record per customer or absolutely nothing will change. The current cost of “here’s a years worth of credit monitoring” doesn’t even amount to a slap on the wrist.