One Billion Identity Records Just Got Exposed — Inside the Biggest ID Verification Leak in History

My buddy Marcus called me at 6 AM this morning. Not to say happy birthday (it's not my birthday), not to tell me about his new cat (though he did mention the cat), but to ask me one question: "Did you see what just happened with that ID verification company?"

I hadn't. I was still on my first coffee, scrolling through Hacker News with one eye open, trying to remember if I'd fed my own cat. But within thirty seconds of reading the top story, I was wide awake. And honestly? You should be too.

What Actually Happened

Here's the short version: a massive ID verification service — the kind of company that sits between you and basically every "verify your identity" prompt you've ever clicked through — left approximately one billion identity records exposed in what security researchers are calling the largest identity verification data breach in recorded history. We're not talking about email addresses and passwords here. We're talking about the stuff that makes you you.

The breach was discovered by a security research team who found an unsecured database — no authentication, no encryption, just sitting there like a library book someone left on a park bench. Except this book contained government-issued ID scans, selfie verification photos, full names, dates of birth, and in many cases, Social Security numbers or their national equivalents from dozens of countries.

Let me repeat that for the people in the back: government ID scans. The actual images of passports, driver's licenses, and national ID cards that people uploaded to verify their identities on various platforms. The photos you took of yourself holding your ID next to your face. All of it.

Who's Affected (Spoiler: Probably You)

This is where things get uncomfortable. The ID verification company in question doesn't operate one app or one website. They provide backend verification services to hundreds of companies across fintech, cryptocurrency exchanges, online banking, gig economy platforms, and even some government services. If you've ever been asked to take a photo of your driver's license and then a selfie to prove you're a real person — and let's be honest, who hasn't at this point — there's a non-trivial chance your data was in that database.

My colleague Priya spent her lunch break today trying to remember every service she'd done ID verification for in the past three years. She got to eleven before she gave up. Coinbase, Binance, her bank's new app, two freelancing platforms, a car rental service, an apartment application... the list kept growing. And that's just one person.

The affected records span users across North America, Europe, Southeast Asia, Latin America, and parts of Africa. The company's client list reads like a who's-who of "apps you probably have on your phone."

What Data Was Exposed

I've covered data breaches for years now (a career choice my mother still doesn't fully understand — "so you write about hackers, dear?"), and the severity of exposed data exists on a spectrum. An email/password combo is bad. Financial data is worse. But this breach sits at the absolute top of that spectrum, because the exposed data includes:

• Full legal names tied to government documents
• Dates of birth
• Government-issued ID numbers (SSNs, national ID numbers, passport numbers)
• High-resolution scans of physical IDs — front and back
• Selfie verification photos — the "hold your ID next to your face" images
• Addresses as printed on the IDs
• Metadata including which services requested the verification and when

That last point is subtle but important. It doesn't just tell an attacker who you are — it tells them where you have accounts. If someone knows you verified your identity on a crypto exchange, a banking app, and a stock trading platform, they now have a roadmap for where to hit you hardest.

Why This Is Different From "Just Another Breach"

I can already hear the breach fatigue settling in. "Another day, another data leak, right?" I get it. My friend Tom literally shrugged when I told him about it over lunch. "They already have everything," he said, dipping his fries in mayo like a man who's given up on digital privacy entirely.

But Tom's wrong (and not just about the mayo thing). Here's why this is categorically different:

You can't change your face. When your password leaks, you change it. When your credit card number leaks, your bank issues a new one. When your government ID, your biometric selfie, and your personal details all leak together? There's no reset button. You can't get a new face. You can't get a new date of birth. In most countries, getting a new government ID number is somewhere between "incredibly difficult" and "basically impossible."

This data is permanently compromised. It will be useful to identity thieves and fraudsters not just today, but for years — possibly decades. The selfie-plus-ID combination is literally the gold standard that companies use to prove someone is who they claim to be. Now that standard is broken for a billion people.

What You Should Do Right Now

I'm not going to sugarcoat this: there's no magic fix. But there are concrete steps that actually help, and I've spent the afternoon talking to three different security researchers (including my friend Sandra, who's been in incident response for fifteen years and has the caffeine tolerance to prove it) to compile the most practical advice.

1. Freeze your credit. Today. Not tomorrow. In the US, contact all three bureaus — Equifax, Experian, and TransUnion. It's free, it takes about ten minutes each, and it's the single most effective thing you can do to prevent someone from opening accounts in your name. If you're outside the US, check your country's equivalent (in the UK, contact CIFAS for a protective registration).

2. Set up fraud alerts. This is different from a credit freeze. A fraud alert tells creditors to take extra steps to verify identity before issuing credit. You only need to contact one bureau and they'll notify the others.

3. Monitor your existing accounts aggressively. Turn on every notification your bank and financial apps offer. Transaction alerts, login alerts, password change alerts — all of it. Yes, your phone will buzz more. That's the point.

4. Check if your ID number has been compromised. Services like Have I Been Pwned are working to integrate this breach data. Keep checking over the next few weeks as they process the dataset.

5. Be extremely suspicious of verification requests. Attackers now have the raw materials to create convincing phishing attacks. If anyone contacts you claiming there's a problem with your identity verification — by email, text, or phone — do not engage. Go directly to the service's website yourself.

6. Document everything now. Take screenshots of your current account statuses, balances, and credit reports. If identity theft happens later, having a clean baseline makes the recovery process significantly easier. (Sandra was emphatic about this one. "People never think to do it until it's too late," she said, in the tone of someone who's watched it happen a thousand times.)

7. Consider an identity theft protection service. I know, I know — it feels like paying for a lock after the horse has bolted. But legitimate services like those offered through your bank or credit card company can provide monitoring and recovery assistance that's genuinely useful when (not if) someone tries to use your stolen data.

The Bigger Question Nobody Wants to Ask

Here's what's been nagging at me all day, and what Marcus and I kept circling back to on our call this morning: why does this data exist in one place at all?

The entire model of centralized identity verification is, frankly, a disaster waiting to happen — and today it happened. We've built a system where billions of people hand over their most sensitive documents to companies they've never heard of, trusting that those companies will protect that data forever. And "forever" is a very long time when you're a startup burning through VC funding with a security team of three people.

I don't have a neat solution to wrap this up with. I wish I did. But what I do know is that right now, today, you should assume your identity data is out there and act accordingly. Freeze that credit. Set up those alerts. And maybe give Marcus a call — he could probably use someone to talk to about this who isn't his cat.

This is a developing story. We'll update this article as more information becomes available about the scope of the breach and affected services. Last updated: March 12, 2026.