ah shit, here we go again

4 days ago a company called IDMerit left their database with 1 billion personal records open on the internet with no password. What is IDMerit? A KYC verification company. One designed and promised to keep your data safe.

Welcome to the dawn of AI powered identity verification. Cybernews researchers found a totally unprotected MongoDB database in November last year. With.. get this.. 1 terabyte. 3 billion records with 1 billion containing sensitive personal info across 26 countries.

So what sensitive information? Pretty much exactly what you would want to protect. Full legal names, home addresses and postal codes, dates of birth, national identification numbers, phone numbers, email addresses and telecom metadata.

The USA had 204 million records exposed. Mexico 120+ million. Philippines 72 million. Germany 61 million. Italy and France 53 million each. So is it any wonder kidnappings are on the rise in France? Hell the French tax office is implicated in exposing private data.

This wasn't some sophisticated hack. Not some zero day exploit. It was literally a database being left open on the internet with no password. The companies that are supposed to protect your identity can't even protect their own database.

So yeah, what we get here is not another isolated case. This is a pattern. Let's look at what happened in just the last couple years alone.
Coinbase May 2025: employees in India bribed to steal KYC data. 69,461 users. Government IDs, social security numbers, bank details, transaction histories. Cost: $180-400 million.

Transak 2024: 92,554 users' government IDs and selfies stolen from one phished employee. Signzy 2024: major KYC provider breached, customer data from banks appeared on the dark web. NCX Exchange 2025: 2 million records leaked including KYC documents.

Indian Financial Institutions 2025: 500GB of KYC data exposed through a bad storage bucket. UK 2025: a GB of selfies, IDs, passports, and driver's licenses dumped on dark web forums. Just sitting there for the taking.

Then like just a few days ago completely separate from the IDMerit leak, at Abu Dhabi Finance Week more than 700 passport scans and government ID cards were found unprotected on a cloud server. These were world leaders, politicians, and major business figures.

So yeah, you're talking about billions of records in the last year alone that have been leaked. These are just the ones that have been reported so far. It's really not if your KYC data gets leaked. It's when.

Like every company out there that collects your passport is making a bet. Of course they don't WANT your data to get leaked. But they are just betting. Betting an employee won't be bribed. Their database won't get hacked. But the odds are against them. Every. Single. Time.

But you know what? You can't change your passport number. You can't change your face. You can't change your date of birth. When a password leaks you can change it, but when your ID leaks you're compromised for the rest of your life.

In 2024 finance overtook healthcare as the most hacked industry. 30% of breaches now involve third-party vendors. What did Satoshi say about trusted third parties? Well yeah... here we are. Now owning bitcoin can be dangerous if your data falls into the wrong hands.

Last week I shared that KYC catches less than 0.1% of criminal money and costs 100x more than it
recovers. I showed you how it can be used as a weapon against protesters, political opponents, and legal businesses. Well look at this. It couldn't be more clear.

The data isn't safe and it was never going to be safe. 1 billion records sitting on the internet with no password just again proves that. But this is what I just don't understand. We have the evidence. We have years of it. Breach after breach after breach.

For a lot of you it starts with your inbox full of phishing emails. Your passport on the dark web. But for some it starts with being dragged into the back of someone's kidnapper van with your pinkie finger removed.

What's even more bonkers is that today as I'm writing this, PayPal has disclosed that for more than six months a code error exposed customers' Social Security numbers, names, addresses, dates of birth. How did they respond? Sorry, here is some free credit monitoring.

In 2023 the Swedish police raided Mullvad VPN with a search warrant. They wanted user data. They left with nothing because there was nothing to give. The answer is never better security. It's never stronger passwords. The answer is to never collect data in the first place.

So yeah, if you're reading this and you're thinking like well what can we do at this point? Is it too late? No, it's not too late. Stop using services that require a passport to buy bitcoin. It's that simple.

Use something like nostr:nprofile1qqsd54k9fd0xwjwkttgr3svkg7reftu5una95nhacg95nxq7fmzkdscpp4mhxue69uhkummn9ekx7mqpzamhxue69uhhyetvv9ujucm4wfex2mn59en8j6gtpc5wz its totally free, completely open source, lets you buy and sell bitcoin peer to peer with no KYC, no ID, no database, no freaking honeypot. Using Vexl and trading with cash means your transaction history and ID won't end up in the next open database. Download it at vex.it

Genuinely if you think this was useful help me scream it. I think people just don't know this is happening. They hand over their data and they don't hear about this before it's too late. Protect yourself. No one else will.

Sources:
IDMerit breach: https://cybernews.com/security/global-data-leak-exposes-billion-records/

Coinbase breach: https://www.coinbase.com/blog/protecting-our-customers-standing-up-to-extortionists

Abu Dhabi leak: https://www.reuters.com/world/middle-east/data-leak-abu-dhabi-finance-summit-exposes-global-figures-ft-reports-2026-02-17/

PayPal breach: https://www.bleepingcomputer.com/news/security/paypal-discloses-data-breach-exposing-users-personal-information/

KYC breach tracker: https://github.com/etheralpha/kycisbad

Vexl: https://vexl.it/
https://blossom.primal.net/0a050e58ffb4c0fb5b5f1d16f7aa56f4aa619289b6faaab6b05d06a94e2d576c.jpg