frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Open in hackernews

1B identity records exposed in ID verification data leak

https://www.aol.com/articles/1-billion-identity-records-exposed-152505381.html
80•robtherobber•2h ago

Comments

egorfine•2h ago
KYC = Kill Your Customer.
mbix77•2h ago
What did measures like gdpr ever achieve except for making me click a cookie prompt away.
Rygian•2h ago
Actual punitive measures taken against entities who e.g. manipulate personal data in a negligent way. [1]

Which was much harder to achieve before.

[1] https://www.enforcementtracker.com/

loloquwowndueo•1h ago
Right to be forgotten - you can ask companies to delete data they hold on you.

Data ownership/portability : you can ask companies for a copy of all data they hold on you or related to you.

I’ve seen the latter used by job applicants to get an entire copy of their interviews, transcripts and assessments including the reason for not being hired.

etothepii•1h ago
In the UK open banking was essentially a response to GDPR this has allowed (to a limited extent) a variety of tools to be built on top of bank accounts that others would not have been.
pjc50•1h ago
That was actually the two Payment Services Directives: https://blog.finexer.com/guide-to-psd2-regulation-for-open-b...
pjc50•1h ago
GDPR doesn't apply in the states, but hopefully it provides for some punishment for the poor security here for EU customers. Of course, then some Americans will get mad that a US company has to follow EU law.
ralferoo•1h ago
The GDPR applies worldwide to any data held about EU or UK citizens, regardless of where they reside. It does apply in the US, it's just potentially harder for the EU to enforce meaningful penalties for infractions.
bilekas•42m ago
> Of course, then some Americans will get mad that a US company has to follow EU law.

This is always the way of the world though, if you want to do business anywhere, you are of course obligated to follow the local laws and regulations. I don't see anyone disputing this outside of blatant patent infringement by certain countries.

cataflam•2h ago
Almost a month old, original source: https://cybernews.com/security/global-data-leak-exposes-bill...

and I've never seen any confirmation elsewhere

Looks like CyberNews have edited the article with more info since first I saw it, it used to look quite suspicious and untrustworthy, it now has more info. Still doesn't say exactly what a record is, or how many uniques there are.

tootie•40m ago
It's a weird article. For one, the researcher says "they believe" the data belongs to IDMerit but apparently aren't sure. IDMerit denies it's the owner of the data nor is it any of their partners. And there's very few details about where or how they found this database. It's possibly some kind of hoax or ransom attempt? Or there's really just billions of unaccounted databases of private data just sitting all over the Internet.
uean•35m ago
The cybernews article does have some screenshots showing names like “idmb2c” … also that IDMerit was contacted in November and the ports were closed a day later.
frereubu•33m ago
I presume the database exists, but some of the details don't add up. IDMerit say "IDMERIT’s systems and security infrastructure have never been compromised", "there has never been a data breach or exfiltration from [our partners'] systems during, before, or after this event" and "IDMerit does not own, control or store customer data". But Cybernews says that they "promptly secured the database" after being notified. Cybernews also didn't give the reason why they thought this was to do with IDMerit (unless I missed it). I can't quite make head nor tail of it.
whatsupdog•1h ago
Where the F does IDMerit even get all this data from? They have names, DOBs, addressed, phone numbers, national identity numbers for over a billion people? How?
shakna•1h ago
A record is not necessarily unique. Name changes, address changes, phone number changes, can all create "new" records in dumps like these.
wongarsu•1h ago
The 1B number would contain multiple records per person.

For example if I (as a German in Germany, ymmv) open a bank account online that involves a call with one of these companies where they take pictures and information from my passport and check that that's me. Then I choose payment in installments on some online shop, same game. Apply for a small loan? Same game. Set up an account for trading (stock exchange or crypto)? You guessed it, another call. Another payment in installments, backed by the same bank? Apparently verifying my identity again is easier than checking their database. Each of those is another record. Potentially with a new identity document, address or even name (maybe you got married) but mostly just the same data confirmed again with another timestamp

Not all of them use the same identity verification service, but there aren't that many. And I wouldn't be surprised to learn that many are the same company under different brands

uean•58m ago
Makes sense if the ID verification process involves scanning a driver license or passport.

Edit- rereading this, you’re obviously talking about scale. The original article is much better : https://cybernews.com/security/global-data-leak-exposes-bill...

neya•1h ago
If I was in Vegas, I would bet my life savings that the CXOs of the said ID Verification company's data isn't included in the leak. This is just like that Mc Donald's CEO's video - they never use what they create.
ezst•29m ago
Or the tech executives barring their children from using social media.
esperent•52m ago
This is actually a Fox News article and as far as I can see it's not corroborated anywhere.

I saw a reddit thread about it earlier where someone said the apparent hacker refused to actually show any of the data and was asking for money. So probably just a scam rather than a real leak.

mapontosevenths•8m ago
The Fox article just cites CyberNews.[0]

Cybernews posts screenshots[1] featuring usernames like idmKYCCN and idmKYCFR, and the ports were locked down after contacting ID Merit.

I think thay what's happened is that everyone is telling the literal truth and speaking very carefully to use that truth to obscure rather than inform. To hell with the victims. The way I intrerpet this is that their denials are both factually accurate AND misleading.

The partner who said there is "no indication that any customer data has been compromised" is telling the literal truth. They can't find any indicators because they stink at logging and the screenshots posted on CyberNews obscure the customer info intentionally. Instead Cyber News only shows the IDM usernames in plaintext. Which was the responsible thing to do They literally cant see any indications... of customer data... because they dont have logs.

Nobody should ever trust anyone involved in this again if I'm correct in this interpretation of the available facts.

[0] https://www.foxnews.com/tech/1-billion-identity-records-expo...

[1] https://cybernews.com/security/global-data-leak-exposes-bill...

bilekas•49m ago
> That review identified no exposure, vulnerability or unauthorized access within the IDMERIT environment

The fact that they didn't vet their data providers then has to be considered a form of negligence. In the end, its the company I am handing over my details to to act responsibly, not their providers.

I hate this responsibility delegating when its not a good luck, and this will continue to get worse now as the entire internet will be ID gated soon. But don't worry, all the lapse in privacy and even security in the name of 'saving the kids'.

pirate787•13m ago
While this leak may or may not have happened, for this type of exposure there should be criminal liability for developers and executives. Criminal negligence and prison time.

Big Data on the Cheapest MacBook

https://duckdb.org/2026/03/11/big-data-on-the-cheapest-macbook
31•bcye•50m ago•9 comments

Dolphin Progress Release 2603

https://dolphin-emu.org/blog/2026/03/12/dolphin-progress-report-release-2603/
61•BitPirate•3h ago•1 comments

Are LLMs not getting better?

https://entropicthoughts.com/no-swe-bench-improvement
22•4diii•42m ago•5 comments

3D-Knitting: The Ultimate Guide

https://www.oliver-charles.com/pages/3d-knitting
105•ChadNauseam•4h ago•34 comments

Avoiding Trigonometry (2013)

https://iquilezles.org/articles/noacos/
69•WithinReason•3h ago•14 comments

Show HN: s@: decentralized social networking over static sites

http://satproto.org/
327•remywang•12h ago•138 comments

SBCL: A Sanely-Bootstrappable Common Lisp (2008) [pdf]

https://research.gold.ac.uk/id/eprint/2336/1/sbcl.pdf
71•pabs3•5h ago•36 comments

Temporal: The 9-year journey to fix time in JavaScript

https://bloomberg.github.io/js-blog/post/temporal/
718•robpalmer•20h ago•225 comments

Printf-Tac-Toe

https://github.com/carlini/printf-tac-toe
47•carlos-menezes•4d ago•5 comments

Thinnings: Sublist Witnesses and de Bruijn Index Shift Clumping

https://www.philipzucker.com/thin1/
7•matt_d•2d ago•0 comments

Making WebAssembly a first-class language on the Web

https://hacks.mozilla.org/2026/02/making-webassembly-a-first-class-language-on-the-web/
596•mikece•1d ago•212 comments

Returning to Rails in 2026

https://www.markround.com/blog/2026/03/05/returning-to-rails-in-2026/
185•stanislavb•6h ago•105 comments

Datahäxan

https://0dd.company/galleries/witches/7.html
90•akkartik•2d ago•7 comments

1B identity records exposed in ID verification data leak

https://www.aol.com/articles/1-billion-identity-records-exposed-152505381.html
81•robtherobber•2h ago•23 comments

I was interviewed by an AI bot for a job

https://www.theverge.com/featured-video/892850/i-was-interviewed-by-an-ai-bot-for-a-job
343•speckx•18h ago•322 comments

Tested: How Many Times Can a DVD±RW Be Rewritten? Methodology and Results

https://goughlui.com/2026/03/07/tested-how-many-times-can-a-dvd%C2%B1rw-be-rewritten-part-2-metho...
181•giuliomagnifico•4d ago•52 comments

WebPKI and You

https://blog.brycekerley.net/2026/03/08/webpki-and-you.html
71•aragilar•2d ago•6 comments

Don't post generated/AI-edited comments. HN is for conversation between humans

https://news.ycombinator.com/newsguidelines.html#generated
3717•usefulposter•17h ago•1389 comments

The MacBook Neo

https://daringfireball.net/2026/03/the_macbook_neo
564•etothet•1d ago•905 comments

NASA's DART spacecraft changed an asteroid's orbit around the sun

https://www.sciencenews.org/article/spacecraft-changed-asteroid-orbit-nasa
44•pseudolus•3d ago•17 comments

Many SWE-bench-Passing PRs would not be merged

https://metr.org/notes/2026-03-10-many-swe-bench-passing-prs-would-not-be-merged-into-main/
250•mustaphah•15h ago•130 comments

Show HN: I built a tool that watches webpages and exposes changes as RSS

https://sitespy.app
268•vkuprin•20h ago•69 comments

Faster asin() was hiding in plain sight

https://16bpp.net/blog/post/faster-asin-was-hiding-in-plain-sight/
220•def-pri-pub•21h ago•120 comments

BitNet: Inference framework for 1-bit LLMs

https://github.com/microsoft/BitNet
353•redm•1d ago•163 comments

Google closes deal to acquire Wiz

https://www.wiz.io/blog/google-closes-deal-to-acquire-wiz
303•aldarisbm•21h ago•179 comments

Reliable Software in the LLM Era

https://quint-lang.org/posts/llm_era
27•mempirate•4h ago•5 comments

Personal Computer by Perplexity

https://www.perplexity.ai/personal-computer-waitlist
173•josephwegner•18h ago•135 comments

Entities enabling scientific fraud at scale (2025)

https://doi.org/10.1073/pnas.2420092122
294•peyton•22h ago•203 comments

What Happens After You Die? (2016)

https://lamag.com/news/the-end/
53•NaOH•3d ago•37 comments

Galaxy Zoo

https://www.zooniverse.org/projects/zookeeper/galaxy-zoo
20•mooreds•3d ago•2 comments