- Full names
- Addresses
- Post codes
- Dates of birth
- National IDs
- Phone numbers *Genders
- Email addresses
- Telco metadata
- Breach status and social profile annotations
Good luck everyone.
Now I have to go and get a new gender
Don’t worry I’m sure the government is working overtime to draft a new law requiring companies to collect even more personal info. They’ve got us covered
The fact this database even exists is pretty dubious from a data sovereignty point-of-view.
Sadly I see a lot of victims of scams / identity fraud in my work.
My advice to people generally is:
Be vigilant, don’t click links in emails, don’t talk to people who call you, have conversations with the people you care about reminding them to also be vigilant.
For access to government services, set up the myId app for 2fa, don’t use SMS.
For other services, use a 2fa code generator, or SMS if that’s all thats available.
Use a password manager, but be wary that non-technical people might find this out of reach. Their browser’s built in password management is better than nothing.
Your State’s department of transport probably lets you lock your profile so your drivers license number can’t be used to verify your identity. Be aware that you’ll need to unlock this when you want to allow someone to confirm your id.
Similarly you can lock your credit rating at experian or equifax:
So nearly half the population (assuming do duplicates)? Fuck me dead.
Any idea how long until Have I Been Pwned is updated?
Here RSS link https://haveibeenpwned.com/feed/breaches/
Misleading. Some researchers found an unsecured database, contacted the owners, and they secured it. There is no evidence of the data actually being leaked.
It’s not misleading. A database of personally identifiable information being exposed on the internet is a data leak. Personally identifiable information is legally required to be protected, while an exposed database on the internet is about as far from ‘protected’ as you can get.
The article and title make no claim to active selling or known exploitation of the data, but to write this off as nothing would be a mistake. Are you sure that only the Cybernews team found it?
The Cybernews team discovered the exposed MongoDB instance on November 11th, 2025 and immediately notified IDMerit. The company secured the database by November 12th.
We don’t know how long it was exposed for prior to it being discovered on the 11th - it might’ve been that day, it might’ve been a few months.
It is misleading to say it was leaked because there’s no evidence that anyone saw it.
If no ones data was stolen, was there a leak?
It was unsecured, but it was not leaked unless someone accessed it. To try and pretend that there’s no difference is pure idiocy.
If your house plumbing is leaking, its not a leak to you unless you see it? How do you know it hasn’t been accessed?
Thankfully we don’t need to rely on your definition of a data leak: https://www.fortinet.com/resources/cyberglossary/data-leak
A data leak happens when an internal party or source exposes sensitive data, usually unintentionally or by accident.
This is sensitive data that’s accidentally been exposed on the internet. That is a leak. You are misinformed on what a data leak is.
Great analogy, but not for the point you’re trying to make.
If your house plumbing is leaking there is water going out where it shouldn’t be. You’re saying it’s a leak just because there’s a tap out near the footpath that could be turned on by someone to use your water, even if not a single drop of water has ever come out of it.
With an unsecured server the data isn’t going where it shouldn’t be unless someone takes it. Without evidence of someone taking it, nothing was leaked.
If your house plumbing is leaking there is water going out where it shouldn’t be.
Yes. Correct. Personally Identifiable Information openly exposed on the internet is information going out where it shouldn’t be.
If your house is leaking, whether there’s someone out there with a cup doesn’t change whether your house is leaking or not. It only changes whether someone took your water ie. a breach
Data leak and data breach have specific definitions:
Data Leak vs Data Breach: What Is the Difference? While many use the terms “data leak” and “data breach” interchangeably, there is a difference between the two. A data leak often comes from within the organization either by accident or intent, while a data breach occurs when confidential or otherwise protected information is accessed, stolen, or used by outsiders without authorization. https://www.fortinet.com/resources/cyberglossary/data-leak
https://www.microsoft.com/en-us/security/business/security-101/what-is-a-data-leak
https://www.oaic.gov.au/privacy/your-privacy-rights/data-breaches/what-is-a-data-breach
https://www.ibm.com/think/topics/data-leakage
https://www.trendmicro.com/en/what-is/data-breach/data-leak.html
This is a data leak. We don’t know yet if it’s a data breach. We might not know until active exploitation.
Given the lack of control on this data, and that it wasn’t fixed until the researchers told them about it, do you trust IDMerit to have the scrutiny on their logging to know if it was accessed externally? I don’t.
It’s not going out unless someone requests it though. Data from a database on an unsecured server doesn’t just find its way onto the Internet or hackers computers - they need to take it.
This is why I said it’s misleading. There’s no evidence of anything being taken. It was there for the taking, but if it wasn’t taken then no one’s details were compromised.
