alt Hacker News1B identity records exposed in ID verification data leak
Comments
If I was in Vegas, I would bet my life savings that the CXOs of the said ID Verification company's data isn't included in the leak. This is just like that Mc Donald's CEO's video - they never use what they create.
Almost a month old, original source: https://cybernews.com/security/global-data-leak-exposes-bill...
and I've never seen any confirmation elsewhere
Looks like CyberNews have edited the article with more info since first I saw it, it used to look quite suspicious and untrustworthy, it now has more info. Still doesn't say exactly what a record is, or how many uniques there are.
This made me absolutely livid:
> We requested a security incident report from the ethical hackers as proof
So instead of paying him a fair bug bounty, they demand that he write a formal report for them and prove to them that there is even a problem.
Totally unhinged, but it gets worse:
> the response was a demand for money for the report, which confirmed our suspicion that this was a ransom-related incident.
Wow. So when the security researcher informs them that he would be happy to do some consulting work for them and informs them of his rates, they flip out and accuse his initial good samaritan decision to inform the company of the issue of being part of a plot by him to hold the company for ransom?
Whoever thought this is both totally delusional and a complete jerk. Truly, no good deed goes unpunished.
Nobody told their marketing department:
https://www.idmerit.com/blog/idmerits-data-breach-fail-safe-...
archived for posterity: https://archive.ph/MdSfO
Unrelated to the story but TIL AOL is still a thing in 2026!
Where the F does IDMerit even get all this data from? They have names, DOBs, addressed, phone numbers, national identity numbers for over a billion people? How?
Unprotected MongoDB, tables without password, data in plain text. It's a textbook example of doing absolutely everything wrong.
While this leak may or may not have happened, for this type of exposure there should be criminal liability for developers and executives. Criminal negligence and prison time.
> That review identified no exposure, vulnerability or unauthorized access within the IDMERIT environment
The fact that they didn't vet their data providers then has to be considered a form of negligence. In the end, its the company I am handing over my details to to act responsibly, not their providers.
I hate this responsibility delegating when its not a good luck, and this will continue to get worse now as the entire internet will be ID gated soon. But don't worry, all the lapse in privacy and even security in the name of 'saving the kids'.
aol.com!?!?
This is actually a Fox News article and as far as I can see it's not corroborated anywhere.
I saw a reddit thread about it earlier where someone said the apparent hacker refused to actually show any of the data and was asking for money. So probably just a scam rather than a real leak.
Yet another point of proof that the US needs a HIPAA covering PII.
What did measures like gdpr ever achieve except for making me click a cookie prompt away.
At this point I get about 1-2 emails a year telling me some company has exposed my private data in some way. It’s completely routine.
We need a law mandating the company pays at least $1k per exposed record per customer or absolutely nothing will change. The current cost of “here’s a years worth of credit monitoring” doesn’t even amount to a slap on the wrist.