Over 250 million identity records have been exposed across seven countries in a massive data leak.
More than a quarter of a billion identity records have been left publicly accessible, exposing citizens from at least seven countries, including Turkey, Egypt, Saudi Arabia, the United Arab Emirates (UAE), Mexico, South Africa, and Canada.
Three misconfigured servers hosted on IP addresses registered in Brazil and the UAE contained detailed personal information, resembling government-level identity profiles. The leaked information included ID numbers, dates of birth, contact details, and home addresses.
Cybernews researchers, who discovered the exposure, say the databases appeared to share the same structure and naming conventions, which might indicate the same source. However, it was not possible to definitively say who was running the servers.
“It's likely that these databases were operated by a single party, due to the similar data structures, but there’s no attribution as to who controlled the data, or any hard links proving that these instances belonged to the same party,” said our researchers.
The breach is especially severe for citizens in Turkey, Egypt, and South Africa, where the databases contained full-spectrum identity details. Leaked detailed information opens the door to a range of abuses, from financial fraud and impersonation to targeted phishing campaigns and scams.
Cybernews contacted the hosting providers, and as of now, the data is no longer publicly accessible.
Entire nations affected by data leaks
This isn’t the first time a huge dataset hosting citizen data has been found online. Cybernews research has shown that the entire population of Brazil might have been affected by a data leak.
A misconfigured Elasticsearch instance contained the data with full names, dates of birth, sex, and Cadastro de Pessoas Físicas (CPF) numbers. This 11-digit number identifies individual taxpayers in Brazil.
Have thoughts about this topic? Others do, too. Join them in the discussion.
In the same year, a data leak linked to Bankingly, a fintech platform that provides web services and mobile applications to financial institutions in Latin America, impacted citizens from the Dominican Republic, Mexico, Ecuador, El Salvador, Bolivia, Costa Rica, and the Dominican Republic.
According to Cybernews researchers, the Uruguay-based company exposed data from seven financial institutions due to misconfigured Azure Blob Storage buckets.
Previously, Cybernews reported massive leaked data sets allegedly belonging to governmental entities offered for sale online. In 2024, threat actors listed 23 terabytes of data on one billion Chinese nationals and several billion case records from the Shanghai police.
The personal data of 105 million Indonesian citizens, including ID card numbers, full names, dates of birth, and other personally identifiable information (PII), has also been leaked and offered for sale online.
Disclosure timeline:
- Leak discovered: May, 2025
- Initial disclosure: May, 2025
- Closed: June, 2025
Your email address will not be published. Required fields are markedmarked