Multiple Consumer Data Exposures: IDMerit Database Leak, youX Intrusion, and Substack User Data Access
Cybersecurity researchers reported a major exposure at IDMerit, an AI-driven identity verification provider, after discovering an unsecured, internet-accessible MongoDB instance containing over 3 billion records (over 1TB). Exposed data reportedly included full names, addresses, dates of birth, national ID numbers, phone numbers, and email addresses; researchers estimated roughly ~1 billion records contained sensitive data (with duplicates likely inflating the total). The dataset was described as global in scope, affecting individuals across 26 countries, with large volumes attributed to the US, Mexico, and the Philippines, creating downstream risk for identity fraud, account takeover, phishing, and SIM-swap activity.
Separately, Australian finance technology platform youX confirmed an unauthorized third-party access incident, after which a hacker claimed theft of data tied to 444,528 Australian borrowers and additional loan-application and identity data (including driver’s licence numbers, addresses, and credit/banking-related information), plus customer/staff details associated with broker organizations. Substack also confirmed unauthorized access to limited user data (including email addresses, phone numbers, and internal account metadata) that occurred in October 2025 but was only identified on Feb. 3, 2026; Substack stated passwords and payment card/financial data were not accessed, but the extended detection gap raised concerns about monitoring and dwell time.
Timeline
Feb 20, 2026
youX breach report says 440,000 Australians' data was exposed
Reporting on the youX incident said a hacker exposed personal data allegedly stolen from the company, affecting about 440,000 Australians. The exposed information reportedly included contact details, government IDs, driver’s licence numbers, credit information, addresses, and banking records.
Feb 20, 2026
Researchers report massive exposed IDMerit MongoDB database
Security researchers disclosed that an unsecured MongoDB database attributed to IDMerit was publicly accessible and contained more than three billion records. The exposed data reportedly included highly sensitive personal information affecting individuals across 26 countries.
Feb 18, 2026
Substack publicly discloses breach and warns users
Substack publicly disclosed the incident, apologized to users, and advised them to watch for suspicious emails or text messages. The company said it had no evidence of misuse and was implementing additional safeguards.
Feb 18, 2026
Threat actor posts alleged Substack database on BreachForums
BleepingComputer reported that a threat actor published a database allegedly tied to Substack on BreachForums. The post reportedly contained 697,313 records, though Substack did not confirm that figure.
Feb 13, 2026
youX suffers cyber incident affecting its systems
Sydney-based finance technology company youX confirmed that an unauthorized third party accessed its systems during a cybersecurity incident described as occurring the week before the report. The attacker allegedly stole data tied to borrowers, loan applicants, customers, staff, and broker organizations.
Feb 3, 2026
Substack detected the October 2025 data exposure
Substack said it did not discover the unauthorized access until 2026-02-03, leaving an exposure window of roughly 100 days. After detection, the company fixed the underlying system issue and began a full investigation.
Oct 1, 2025
Substack user data was accessed by an unauthorized party
Substack said an unauthorized third party accessed limited user data in October 2025, including email addresses, phone numbers, and internal account metadata. The company stated that passwords, credit card numbers, and other financial information were not accessed.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Affected Products
Sources
Related Stories
Multiple Data Exposure and Breach Reports Involving French Citizens, Victorian Students, and Alleged PayPal Credentials
Security researchers reported a large, publicly exposed database on an open cloud server containing **tens of millions of French citizen records** aggregated from at least five prior breaches, including voter data, healthcare entries, CRM contacts, financial profiles (including **IBANs/BICs**), and vehicle-related information. The dataset appears to have been compiled to increase resale value and enable identity cross-linking, elevating risks of **phishing, fraud, and identity theft**. Separately, Australia’s **Victorian Department of Education** notified parents that an unauthorized party accessed a student database containing names, school names, year levels, school-issued email addresses, and **encrypted passwords**, prompting a forced password reset and temporary account access disruption; the department stated more sensitive fields (e.g., home addresses, phone numbers) were not exposed and investigators had not confirmed public release. In another unrelated report, researchers questioned the veracity of a newly claimed **PayPal** breach, assessing a ~100,000-record credential “combolist” as likely **outdated infostealer-log data** rather than evidence of a fresh PayPal compromise, noting PayPal’s prior refutation of similar claims and the practical barriers posed by MFA.
1 months ago
Large-Scale Data Exposures Driven by Misconfigured Cloud Datastores
Cybernews researchers reported multiple **data exposures caused by misconfigured back-end services**, including consumer mobile apps and a large unprotected database. Three widely downloaded Android AI photo identification apps—*Insect Identifier by Photo Cam*, *Dog Breed Identifier Photo Cam*, and *Spider Identifier App by Photo*—reportedly leaked more than **150,000** users’ data via a **Firebase misconfiguration** with inadequate authentication/access controls. Exposed data included email addresses, usernames, profile photos, notification tokens, and **GPS coordinates**; while passwords were not found, researchers noted the location data could enable stalking, doxxing, and targeted scams, and observed indications that automated bots had already discovered the exposed databases prior to the investigation. The apps were attributed to publisher **MobilMinds** (linked to **OZI Technologies**), and the developers reportedly did not respond to requests for comment. Separately, Cybernews identified an **unprotected Elasticsearch cluster** exposing approximately **8.7 billion records** associated with China, including names, birthdates, home addresses, national ID numbers, social media identifiers, usernames, and other account/platform details; the dataset also reportedly contained **plaintext credentials** and corporate/business records, suggesting long-term aggregation. The database’s ownership was not confirmed, but it was subsequently secured; researchers characterized the exposure as a systemic privacy risk potentially affecting hundreds of millions of individuals. Two additional items in the set describe individual bug-hunting writeups (e.g., bypassing mobile controls and abusing password reset/IDOR-style issues) but do not provide verifiable linkage to the specific Firebase/Elasticsearch exposures described above.
1 months ago
Substack Data Breach Exposes User Email Addresses and Phone Numbers
Substack confirmed an incident in which an **unauthorized third party** accessed limited user data, including **email addresses**, **phone numbers**, and other unspecified **internal metadata**. The company said the access occurred in **October 2025** and that **passwords, credit card numbers, and other financial information were not accessed**; CEO Chris Best stated Substack identified evidence of the issue in early February and has since **fixed the underlying problem** and opened an investigation. Public reporting indicates the breach may be connected to data posted on criminal forums: a threat actor allegedly leaked a database on **BreachForums** containing **697,313 records** and claimed the data was obtained via a “noisy” scraping method that was quickly patched. Substack has not disclosed the number of affected users or the precise technical root cause, and both reports note the company advised users to be cautious about **phishing** attempts leveraging the exposed contact details.
1 months ago