Multiple Consumer Data Exposures: IDMerit Database Leak, youX Intrusion, and Substack User Data Access
Cybersecurity researchers reported a major exposure at IDMerit, an AI-driven identity verification provider, after discovering an unsecured, internet-accessible MongoDB instance containing over 3 billion records (over 1TB). Exposed data reportedly included full names, addresses, dates of birth, national ID numbers, phone numbers, and email addresses; researchers estimated roughly ~1 billion records contained sensitive data (with duplicates likely inflating the total). The dataset was described as global in scope, affecting individuals across 26 countries, with large volumes attributed to the US, Mexico, and the Philippines, creating downstream risk for identity fraud, account takeover, phishing, and SIM-swap activity.
Separately, Australian finance technology platform youX confirmed an unauthorized third-party access incident, after which a hacker claimed theft of data tied to 444,528 Australian borrowers and additional loan-application and identity data (including driver’s licence numbers, addresses, and credit/banking-related information), plus customer/staff details associated with broker organizations. Substack also confirmed unauthorized access to limited user data (including email addresses, phone numbers, and internal account metadata) that occurred in October 2025 but was only identified on Feb. 3, 2026; Substack stated passwords and payment card/financial data were not accessed, but the extended detection gap raised concerns about monitoring and dwell time.
Sources
Related Stories
Multiple Data Exposure and Breach Reports Involving French Citizens, Victorian Students, and Alleged PayPal Credentials
Security researchers reported a large, publicly exposed database on an open cloud server containing **tens of millions of French citizen records** aggregated from at least five prior breaches, including voter data, healthcare entries, CRM contacts, financial profiles (including **IBANs/BICs**), and vehicle-related information. The dataset appears to have been compiled to increase resale value and enable identity cross-linking, elevating risks of **phishing, fraud, and identity theft**. Separately, Australia’s **Victorian Department of Education** notified parents that an unauthorized party accessed a student database containing names, school names, year levels, school-issued email addresses, and **encrypted passwords**, prompting a forced password reset and temporary account access disruption; the department stated more sensitive fields (e.g., home addresses, phone numbers) were not exposed and investigators had not confirmed public release. In another unrelated report, researchers questioned the veracity of a newly claimed **PayPal** breach, assessing a ~100,000-record credential “combolist” as likely **outdated infostealer-log data** rather than evidence of a fresh PayPal compromise, noting PayPal’s prior refutation of similar claims and the practical barriers posed by MFA.
2 months ago
Large-Scale Data Exposures Driven by Misconfigured Cloud Datastores
Cybernews researchers reported multiple **data exposures caused by misconfigured back-end services**, including consumer mobile apps and a large unprotected database. Three widely downloaded Android AI photo identification apps—*Insect Identifier by Photo Cam*, *Dog Breed Identifier Photo Cam*, and *Spider Identifier App by Photo*—reportedly leaked more than **150,000** users’ data via a **Firebase misconfiguration** with inadequate authentication/access controls. Exposed data included email addresses, usernames, profile photos, notification tokens, and **GPS coordinates**; while passwords were not found, researchers noted the location data could enable stalking, doxxing, and targeted scams, and observed indications that automated bots had already discovered the exposed databases prior to the investigation. The apps were attributed to publisher **MobilMinds** (linked to **OZI Technologies**), and the developers reportedly did not respond to requests for comment. Separately, Cybernews identified an **unprotected Elasticsearch cluster** exposing approximately **8.7 billion records** associated with China, including names, birthdates, home addresses, national ID numbers, social media identifiers, usernames, and other account/platform details; the dataset also reportedly contained **plaintext credentials** and corporate/business records, suggesting long-term aggregation. The database’s ownership was not confirmed, but it was subsequently secured; researchers characterized the exposure as a systemic privacy risk potentially affecting hundreds of millions of individuals. Two additional items in the set describe individual bug-hunting writeups (e.g., bypassing mobile controls and abusing password reset/IDOR-style issues) but do not provide verifiable linkage to the specific Firebase/Elasticsearch exposures described above.
1 months ago
Substack Data Breach Exposes User Email Addresses and Phone Numbers
Substack confirmed an incident in which an **unauthorized third party** accessed limited user data, including **email addresses**, **phone numbers**, and other unspecified **internal metadata**. The company said the access occurred in **October 2025** and that **passwords, credit card numbers, and other financial information were not accessed**; CEO Chris Best stated Substack identified evidence of the issue in early February and has since **fixed the underlying problem** and opened an investigation. Public reporting indicates the breach may be connected to data posted on criminal forums: a threat actor allegedly leaked a database on **BreachForums** containing **697,313 records** and claimed the data was obtained via a “noisy” scraping method that was quickly patched. Substack has not disclosed the number of affected users or the precise technical root cause, and both reports note the company advised users to be cautious about **phishing** attempts leveraging the exposed contact details.
1 months ago