New AI Data Leak Exposes Over 1 Billion Personal Records

A massive AI data leak has exposed over 1 billion personal records through an unsecured identity verification database, creating what researchers describe as a treasure trove for cybercriminals.

The IDMerit data breach affected individuals across 26 countries, with 203 million records belonging to U.S. citizens alone.

Researchers discovered the exposed MongoDB instance on November 11, 2025. The database contained nearly a terabyte of sensitive information, including national identification numbers, full names, addresses, phone numbers, and email addresses. IDMerit secured the leak within 24 hours of notification.

A second AI data leak emerged simultaneously involving the Video AI Art Generator & Maker Android app. This exposure compromised approximately 2 million photographs and videos from over 500,000 users.

Category: Cyber Threats – Category: Cyber Threats –

AI Data Leak: What You Need to Know

• Over 1 billion records exposed through unsecured AI identity verification databases, with 203 million affecting U.S. citizens.

The Scale of the IDMerit Data Breach

The research team identified the exposure while monitoring unsecured MongoDB instances. The database collection contained approximately 1 billion records spanning 26 countries.

The United States accounted for 203 million records. Germany, France, China, and Brazil also experienced significant exposure.

The leaked data consisted primarily of know-your-customer information. Financial institutions use this data to prevent fraud and comply with anti-money laundering regulations. The exposure creates opportunities for the exact crimes these systems were designed to prevent.

The MongoDB instance lacked any authentication requirements. Anyone with technical knowledge to locate it could access the entire dataset.

Security experts warn that automated threat actor systems continuously scan for such exposures. Others likely discovered the breach before researchers reported it.

What Personal Information Was Compromised

The exposed databases contained complete identity profiles enabling multiple fraud types:

• Full names paired with residential addresses and postal codes – Creating complete location profiles for millions of individuals
• Dates of birth and national identification numbers – Particularly valuable because victims cannot easily change them
• Phone numbers and email addresses – Providing direct vectors for phishing and social engineering attacks
• Telecommunications metadata – Revealing behavioral patterns, relationships, and movements

Security researchers emphasize this combination creates comprehensive victim profiles. Each data point complements others for identity theft operations. Similar data breaches have impacted hundreds of thousands of individuals in recent months.

The Second AI-Related Exposure: Video AI App Leak

Researchers disclosed a second AI data leak involving the Video AI Art Generator & Maker app developed by Codeway. The app has over 500,000 downloads and 11,000 positive Google Play Store reviews.

A misconfigured cloud storage bucket caused the breach. The exposure included:

• 2.87 million AI-generated videos
• 386,000 AI-generated audio files
• 2.87 million AI-generated images
• 385,000 user-uploaded videos
• 1.57 million user-uploaded images

Codeway secured access to the data on February 3, 2025, following researcher notification. The exposed media could enable harassment or blackmail depending on content.

Understanding the Risks and Security Implications

These AI data leaks create substantial downstream risks. Account takeovers represent the most immediate threat. Criminals can use exposed email addresses, phone numbers, and personal details to bypass security questions.

Targeted phishing campaigns become significantly more effective with detailed personal information. Attackers craft personalized communications referencing accurate victim details.

This spear phishing technique dramatically increases success rates. Understanding phishing scams and protection methods is essential.

Credit fraud and identity theft pose long-term threats. Criminals can open accounts, apply for credit, or file fraudulent tax returns using exposed national identification numbers and addresses. SIM swapping attacks become trivially easy with telecommunications metadata.

Researchers describe “long-tail privacy harms” that emerge over months or years. Data circulates through criminal networks and combines with other breach information.

Affected individuals face increased vulnerability as their information cross-references with other leaked databases.

How AI Services Are Becoming Security Targets

Two significant AI-related exposures in quick succession highlight a troubling trend. Companies rushing to integrate AI capabilities sometimes treat security as secondary. Competitive pressure leads to shortcuts in security architecture.

AI-powered services require vast data quantities. Identity verification systems need extensive personal information. AI photo applications require access to user images. This data necessity creates attractive targets where single breaches yield enormous information quantities.

AI system complexity introduces unique vulnerabilities. Cloud storage configurations, database access controls, and API security present potential weak points. Both the IDMerit and Codeway incidents resulted from misconfiguration rather than sophisticated attacks.

Basic security practices are not consistently applied. Recent AI cybersecurity benchmarks reveal ongoing challenges in the sector.

Evaluating AI-Powered Identity Verification

Advantages:

AI verification systems process documents faster than manual review while increasing accuracy. Machine learning algorithms detect sophisticated forgeries that fool human reviewers.

The scalability allows financial institutions to process millions of requests without proportional staff increases. Smaller organizations can implement verification standards previously available only to large enterprises.

Disadvantages:

The IDMerit breach starkly illustrates centralization risks. When a single service holds identity information for millions across multiple countries, security failures have catastrophic potential.

Traditional decentralized verification methods distribute risk rather than creating single failure points.

AI verification systems typically retain data for extended periods, creating ongoing exposure risk. The black-box nature of AI algorithms raises questions about bias and accuracy. Even companies specializing in identity verification are not immune to basic configuration errors.

Protecting Yourself After a Data Exposure

Immediate protective steps can mitigate potential damage:

• Check exposure status – Visit Have I Been Pwned to see if your email appears in known breaches
• Implement a password manager – Generate unique, complex passwords for each account
• Enable passkey authentication – Cryptographic keys resist phishing and credential theft
• Place credit protections – Request fraud alerts or security freezes from major credit bureaus

Remain vigilant for phishing attempts. Scammers may possess accurate personal information and use it to build credibility. Verify unexpected requests through independent channels. Learning how to avoid phishing attacks is essential.

Conclusion

The exposure of over 1 billion records through AI-powered services marks a watershed moment in data security. These incidents demonstrate that companies specializing in identity verification remain vulnerable to basic configuration errors with catastrophic consequences.

For individuals, these leaks underscore the necessity of assuming personal information will eventually be compromised. Security practices including password managers, multi-factor authentication, and skepticism toward unexpected communications are essential.

The AI sector must treat security as foundational rather than secondary. As AI services integrate into critical infrastructure, security failure impacts will intensify. Regulators, industry bodies, and consumers must demand higher standards before the next billion records are exposed.

Questions Worth Answering

How do I know if my data was included in the AI data leak?

• Check Have I Been Pwned for your email. Monitor accounts for suspicious activity and place fraud alerts.

What is the difference between a data breach and a data leak?

• Breaches involve malicious hacking. Leaks result from misconfigurations. Consequences are often similar.

Can I take legal action against IDMerit or Codeway?

• Options depend on jurisdiction and demonstrated harm. GDPR provides EU protections. Consult a privacy attorney.

Why are AI companies particularly vulnerable to data leaks?

• Rapid development prioritizes functionality over security. Large centralized databases create attractive targets.

How long will my exposed data remain a threat?

• Data circulates indefinitely through criminal networks. IDs and birth dates remain permanently valuable to criminals.

Should I change my national identification number after this leak?

• Most countries reserve number changes for extreme circumstances. Focus on credit freezes and fraud alerts instead.

Are AI-powered services inherently less secure than traditional services?

• Not inherently, but rapid development creates risks. Proper security architecture can match traditional standards.

About IDMerit

IDMerit provides AI-powered digital identity verification services to financial institutions and organizations requiring know-your-customer compliance. The company helps clients prevent fraud and meet anti-money laundering regulations across multiple jurisdictions.

The company processes verification requests for clients in at least 26 countries. IDMerit maintains databases containing national identification numbers, addresses, and biographical details. Its platform uses machine learning to verify document authenticity.

Following the November 2025 exposure, IDMerit secured the vulnerable MongoDB instance within 24 hours. The company has not released public statements regarding affected individuals or preventive measures.

About Davey Winder

Davey Winder is a veteran cybersecurity writer, hacker, and analyst contributing regularly to Forbes. With decades of information security experience, Winder translates complex technical issues into accessible analysis.

As a Forbes Senior Contributor, Winder covers breaking cybersecurity news, data breach investigations, and emerging digital threats. His reporting combines technical expertise with investigative journalism.

Winder’s coverage of the IDMerit and Codeway exposures demonstrates his approach of rapid threat reporting with practical victim guidance.