Multiple Consumer Data Exposures: IDMerit Database Leak, youX Intrusion, and Substack User Data Access
Cybersecurity researchers reported a major exposure at IDMerit, an AI-driven identity verification provider, after discovering an unsecured, internet-accessible MongoDB instance containing over 3 billion records (over 1TB). Exposed data reportedly included full names, addresses, dates of birth, national ID numbers, phone numbers, and email addresses; researchers estimated roughly ~1 billion records contained sensitive data (with duplicates likely inflating the total). The dataset was described as global in scope, affecting individuals across 26 countries, with large volumes attributed to the US, Mexico, and the Philippines, creating downstream risk for identity fraud, account takeover, phishing, and SIM-swap activity.
Separately, Australian finance technology platform youX confirmed an unauthorized third-party access incident, after which a hacker claimed theft of data tied to 444,528 Australian borrowers and additional loan-application and identity data (including driver’s licence numbers, addresses, and credit/banking-related information), plus customer/staff details associated with broker organizations. Substack also confirmed unauthorized access to limited user data (including email addresses, phone numbers, and internal account metadata) that occurred in October 2025 but was only identified on Feb. 3, 2026; Substack stated passwords and payment card/financial data were not accessed, but the extended detection gap raised concerns about monitoring and dwell time.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
youX breach report says 440,000 Australians' data was exposed
Reporting on the youX incident said a hacker exposed personal data allegedly stolen from the company, affecting about 440,000 Australians. The exposed information reportedly included contact details, government IDs, driver’s licence numbers, credit information, addresses, and banking records.
Researchers report massive exposed IDMerit MongoDB database
Security researchers disclosed that an unsecured MongoDB database attributed to IDMerit was publicly accessible and contained more than three billion records. The exposed data reportedly included highly sensitive personal information affecting individuals across 26 countries.
Substack publicly discloses breach and warns users
Substack publicly disclosed the incident, apologized to users, and advised them to watch for suspicious emails or text messages. The company said it had no evidence of misuse and was implementing additional safeguards.
Threat actor posts alleged Substack database on BreachForums
BleepingComputer reported that a threat actor published a database allegedly tied to Substack on BreachForums. The post reportedly contained 697,313 records, though Substack did not confirm that figure.
youX suffers cyber incident affecting its systems
Sydney-based finance technology company youX confirmed that an unauthorized third party accessed its systems during a cybersecurity incident described as occurring the week before the report. The attacker allegedly stole data tied to borrowers, loan applicants, customers, staff, and broker organizations.
Substack detected the October 2025 data exposure
Substack said it did not discover the unauthorized access until 2026-02-03, leaving an exposure window of roughly 100 days. After detection, the company fixed the underlying system issue and began a full investigation.
Substack user data was accessed by an unauthorized party
Substack said an unauthorized third party accessed limited user data in October 2025, including email addresses, phone numbers, and internal account metadata. The company stated that passwords, credit card numbers, and other financial information were not accessed.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
IDMerit exposes billions of records in major data leak | SC Media
scworld.com
Open sourceLoan applications, drivers licences, personal data of 440k Aussies exposed after hacker hits Sydney finance tech company youX - DataBreaches.Net
databreaches.net
Open sourceSubstack Breach May Have Leaked Nearly 700,000 User Details Online
techrepublic.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple Data Exposure and Breach Reports Involving French Citizens, Victorian Students, and Alleged PayPal Credentials
Security researchers reported a large, publicly exposed database on an open cloud server containing **tens of millions of French citizen records** aggregated from at least five prior breaches, including voter data, healthcare entries, CRM contacts, financial profiles (including **IBANs/BICs**), and vehicle-related information. The dataset appears to have been compiled to increase resale value and enable identity cross-linking, elevating risks of **phishing, fraud, and identity theft**. Separately, Australia’s **Victorian Department of Education** notified parents that an unauthorized party accessed a student database containing names, school names, year levels, school-issued email addresses, and **encrypted passwords**, prompting a forced password reset and temporary account access disruption; the department stated more sensitive fields (e.g., home addresses, phone numbers) were not exposed and investigators had not confirmed public release. In another unrelated report, researchers questioned the veracity of a newly claimed **PayPal** breach, assessing a ~100,000-record credential “combolist” as likely **outdated infostealer-log data** rather than evidence of a fresh PayPal compromise, noting PayPal’s prior refutation of similar claims and the practical barriers posed by MFA.
Mar 21, 2026
Large-Scale Data Exposures Driven by Misconfigured Cloud Datastores
Cybernews researchers reported multiple **data exposures caused by misconfigured back-end services**, including consumer mobile apps and a large unprotected database. Three widely downloaded Android AI photo identification apps—*Insect Identifier by Photo Cam*, *Dog Breed Identifier Photo Cam*, and *Spider Identifier App by Photo*—reportedly leaked more than **150,000** users’ data via a **Firebase misconfiguration** with inadequate authentication/access controls. Exposed data included email addresses, usernames, profile photos, notification tokens, and **GPS coordinates**; while passwords were not found, researchers noted the location data could enable stalking, doxxing, and targeted scams, and observed indications that automated bots had already discovered the exposed databases prior to the investigation. The apps were attributed to publisher **MobilMinds** (linked to **OZI Technologies**), and the developers reportedly did not respond to requests for comment. Separately, Cybernews identified an **unprotected Elasticsearch cluster** exposing approximately **8.7 billion records** associated with China, including names, birthdates, home addresses, national ID numbers, social media identifiers, usernames, and other account/platform details; the dataset also reportedly contained **plaintext credentials** and corporate/business records, suggesting long-term aggregation. The database’s ownership was not confirmed, but it was subsequently secured; researchers characterized the exposure as a systemic privacy risk potentially affecting hundreds of millions of individuals. Two additional items in the set describe individual bug-hunting writeups (e.g., bypassing mobile controls and abusing password reset/IDOR-style issues) but do not provide verifiable linkage to the specific Firebase/Elasticsearch exposures described above.
Mar 21, 2026
Substack Data Breach Exposes User Email Addresses and Phone Numbers
Substack confirmed an incident in which an **unauthorized third party** accessed limited user data, including **email addresses**, **phone numbers**, and other unspecified **internal metadata**. The company said the access occurred in **October 2025** and that **passwords, credit card numbers, and other financial information were not accessed**; CEO Chris Best stated Substack identified evidence of the issue in early February and has since **fixed the underlying problem** and opened an investigation. Public reporting indicates the breach may be connected to data posted on criminal forums: a threat actor allegedly leaked a database on **BreachForums** containing **697,313 records** and claimed the data was obtained via a “noisy” scraping method that was quickly patched. Substack has not disclosed the number of affected users or the precise technical root cause, and both reports note the company advised users to be cautious about **phishing** attempts leveraging the exposed contact details.
Mar 21, 2026