A cybersecurity breach of staggering proportions has left the personal information of hundreds of millions of Americans vulnerable to criminals and identity thieves.

An unprotected database connected to IDMerit, a company that provides identity verification services to businesses, exposed approximately one billion sensitive records spanning 26 countries. Within the United States, more than 203 million records were left completely unsecured on the open internet.

The exposed information includes the very documents and details that Americans entrust to companies for identity verification purposes: full names, home addresses, dates of birth, and Social Security numbers. This represents precisely the type of comprehensive personal data that criminals require to commit identity theft and fraud.

Cybersecurity researchers at Cybernews discovered the exposed MongoDB database on November 11. The database contained the exact materials companies use to confirm customer identities during verification processes. The implications are severe. With access to such complete personal profiles, malicious actors possess everything necessary to open fraudulent accounts, file false tax returns, or assume someone’s identity entirely.

IDMerit markets itself as a solution for businesses seeking to verify customer identities accurately. The company’s services are designed to prevent fraud by confirming that individuals are who they claim to be. The exposure of such a vast trove of verification data undermines the very purpose these services are meant to serve.

The scale of this breach extends far beyond American borders, affecting individuals across more than two dozen nations. However, the United States bore a disproportionate share of the exposure, with American records comprising more than one-fifth of the total compromised data.

This incident underscores a troubling pattern in the digital age. Companies collect increasingly detailed personal information to combat fraud and verify identities, yet the centralization of such sensitive data creates attractive targets for criminals. When security measures fail, as they did in this case, the consequences affect millions of innocent Americans who had no say in how their information was stored or protected.

The exposure of an unprotected database raises serious questions about data security practices within the identity verification industry. Companies in this sector handle some of the most sensitive personal information imaginable. Their responsibility to safeguard that data must be absolute.

Americans who may have had their information exposed through this breach should remain vigilant. Monitoring credit reports, watching for suspicious account activity, and considering credit freezes are prudent steps when personal information of this nature has been compromised.

The full extent of any criminal exploitation of this exposed data remains unknown. However, the potential for harm is substantial and long-lasting. Social Security numbers, unlike passwords, cannot simply be changed when compromised.

This breach serves as a stark reminder that in our interconnected digital world, the security of personal information depends entirely on the weakest link in the chain of companies that collect, store, and process our most private details.

Related: Texas School Choice Program Draws 62,000 Applications in First Three Days