Some 281,500 Nigerian user accounts were compromised between January and March 2026, placing the country 34th on a global ranking of the most breached nations, according to a quarterly data breach report published by cybersecurity firm Surfshark. The figure arrives as part of a wider global surge: 210.3 million accounts were breached worldwide in that single quarter, underscoring how relentless and industrial-scale digital intrusions have become. For Nigeria, the quarterly count is only part of a far more troubling long-term picture.
A Cumulative Crisis Two Decades in the Making
Since 2004, Nigeria has accumulated 24.1 million compromised accounts - a figure that ranks it third among the most affected countries in Sub-Saharan Africa. That history matters because breached data does not expire. Credentials leaked years ago are routinely recycled, sold on illicit marketplaces and combined with newer stolen information to mount targeted attacks on current accounts.
The breakdown within that cumulative total is particularly revealing. Approximately 7.5 million unique email addresses belonging to Nigerian users have been exposed over the years, while nearly 13 million passwords were leaked alongside those accounts. Email addresses and passwords are the twin keys to most digital services - banking portals, mobile money platforms, government identity systems and social accounts. Once those keys circulate in criminal databases, the window of vulnerability does not close until every affected user has actively changed their credentials.
Surfshark's analysis put the scale of personal exposure in blunt statistical terms: ten out of every hundred Nigerians have been affected by a data breach. That is not a marginal risk. It is a population-level problem.
What Stolen Data Enables - and Who Is Most at Risk
Cybersecurity analysts cited in the report warn that approximately 54 per cent of affected Nigerian users now face elevated risks of account hijacking, identity theft, extortion and related cyber-enabled crimes. The categories of data involved amplify that risk considerably. Financial records, contact details, residential addresses and Social Security-related data have all been exposed - information that enables a wide array of criminal schemes beyond simple password theft.
SIM-swap fraud is among the most damaging downstream threats. In this attack, a criminal uses stolen personal details to convince a mobile network to transfer a victim's phone number to a new SIM card they control, thereby intercepting one-time passwords and bypassing two-factor authentication entirely. With financial records in hand, fraudsters can also craft highly convincing phishing messages that exploit specific, accurate details to lower a target's defences. Residential addresses and identity-adjacent data further enable physical extortion and impersonation.
Nigeria's expanding digital financial ecosystem - mobile money, fintech platforms and online banking - increases the stakes. The more financial activity moves online, the more valuable compromised credentials become to those positioned to exploit them.
Artificial Intelligence Is Changing the Scale of Data Collection
Surfshark's Chief Security Officer, Tomas Stamulis, identified a structural factor driving the growing volume of breaches globally: the rapid adoption of artificial intelligence by businesses. According to figures cited in the report, 20.2 per cent of businesses used AI in 2025, compared to 8.7 per cent in 2023 - a significant acceleration within just two years.
"These AI-driven systems collect and log more detailed user information for automation, analytics and model improvement," Stamulis said. The implication is direct: as companies build more AI-dependent infrastructure, they gather richer, more granular datasets about users. Each of those datasets represents a potential target. A breach that might once have exposed a username and password may now expose behavioural patterns, location histories, transaction records and inferred personal characteristics - all because the underlying system was designed to collect more in order to function better.
This dynamic is not unique to Nigeria, but it interacts with a local context where regulatory enforcement of data protection standards has been uneven and cybersecurity awareness among ordinary users remains limited. Nigeria's Data Protection Act, signed into law in 2023, established a statutory framework for personal data governance. Consistent enforcement, however, requires institutional capacity and resources that regulators are still developing.
The Broader Global Context and What It Suggests
The United States accounted for 29 per cent of all breached accounts globally in the first quarter of 2026 - the single largest national share. France ranked second, followed by India, Brazil and the United Kingdom. The presence of large economies with mature digital infrastructure at the top of that list reflects both the volume of data held by their institutions and the sophistication of attacks directed at them.
Nigeria's position at 34th, despite a comparatively smaller formal digital economy, signals that no geography is insulated. The country's growing internet penetration, expanding e-commerce sector and increasing use of digital government services all enlarge the surface area available to attackers. As more Nigerians move online - a process that accelerates annually - the stock of exposed or exposable personal data grows in parallel.
The practical response for affected individuals remains consistent with long-standing cybersecurity guidance: change passwords on any account linked to a breached service, avoid reusing passwords across platforms, activate multi-factor authentication wherever it is available and treat unsolicited messages requesting personal or financial information with serious suspicion - regardless of how credible they appear. Given that stolen data can remain in circulation for years, those precautions are not reactive. They are ongoing.
