It’s not misleading. A database of personally identifiable information being exposed on the internet is a data leak. Personally identifiable information is legally required to be protected, while an exposed database on the internet is about as far from ‘protected’ as you can get.

The article and title make no claim to active selling or known exploitation of the data, but to write this off as nothing would be a mistake. Are you sure that only the Cybernews team found it?

The Cybernews team discovered the exposed MongoDB instance on November 11th, 2025 and immediately notified IDMerit. The company secured the database by November 12th.

We don’t know how long it was exposed for prior to it being discovered on the 11th - it might’ve been that day, it might’ve been a few months.