Cybernews researchers discovered on November 11, 2025, that IDMerit (a US identity verification and KYC/AML services provider) had left a MongoDB database publicly exposed without authentication. The database was secured November 12, 2025. Disclosure occurred February 18, 2026 (99 days after discovery). The exposed database contained approximately 1 billion personally identifiable records across 26 countries, including full names, addresses, national ID numbers, dates of birth, phone numbers, email addresses, telecom metadata, and KYC/AML verification logs. The US accounted for 203 million records, Mexico 124 million. No confirmed malicious access was reported, and no regulatory enforcement actions were announced as of February 2026.