Joy Agwunobi
Nigeria has recorded 23.3 million compromised user accounts between 2004 and 2025, placing it as the third most affected country in Sub-Saharan Africa, behind South Africa and Egypt, according to a newly released report by Surfshark, a global cybersecurity firm.
The report underscores the scale and persistence of Nigeria’s exposure to data breaches over the years, with millions of user credentials, passwords, and personal identifiers leaked to unauthorised parties.
The study revealed that in just the first half of 2025, the country witnessed over 150,000 compromised accounts, highlighting ongoing vulnerabilities. Although the number of reported breaches dropped sharply by 73 percent between the first and second quarters from 120,000 in Q1 to 31,800 in Q2—Surfshark warns that the cumulative figures paint a more troubling picture.
“A downward trend in breached Nigerian accounts is observed in Q2 2025, where data breaches decreased by 73 percent compared to the previous quarter. Nevertheless, the numbers remain alarming,” the report said.
While Surfshark did not explicitly analyse the broader structural context of Nigeria’s cybersecurity environment, the total volume of breaches over time points to a deeper issue. Nigeria, which has continued to battle a persistent and evolving digital security crisis, appears to face widespread exposure and systemic challenges—as reflected in the sheer number of breached accounts captured in the study.
According to Surfshark, a data breach refers to any incident where confidential or sensitive data is exposed to unauthorised third parties. The report defines each breached email address as a separate user account, with many linked to additional sensitive data such as passwords, phone numbers, IP addresses, and zip codes.
In Nigeria’s case,of the 23.3 million breached accounts linked to Nigerian users, 13 million passwords were leaked, exposing approximately 56 percent of users to risks such as identity theft, financial fraud, extortion, and account takeovers. The report further notes that 7.3 million unique Nigerian email addresses have been compromised, often more than once.
Statistically, this translates to 10 out of every 100 Nigerians having experienced a data breach since 2004, underscoring the widespread nature of the threat.
“More than 150,000 accounts were still compromised in Nigeria during the first half of the year,” the report noted, despite the quarterly drop.
Although Nigeria experienced fewer breaches in the second quarter of 2025, globally, the threat is growing even more intense. According to the report,the total number of leaked accounts worldwide rose from 70 million in Q1 to 94 million in Q2, representing a 34 percent increase.
The United States topped the list of most affected countries in Q2 2025, with 42.5 million breached accounts. It was followed by France (11.4 million), India (1.7 million), Germany (1.3 million), and Israel (1.2 million). Other countries in the top 10 included Canada (968.6k), the UK (944k), Thailand (889.1k), Brazil (639.6k), and China (578.3k).
In terms of breach density—measured by the number of leaked accounts per 1,000 residents; France recorded 172 breach density, Israel (130), and the US (123) had the highest ratios, indicating a more intense data exposure relative to population size. Others in this category included Singapore (26), Canada (24), South Sudan (23), Belgium (21), Ireland (16), Switzerland (16), and Germany (15)
Surfshark attributed the bulk of these data breaches to weak cybersecurity practices such as password reuse, lack of two-factor authentication, and poor access controls. These vulnerabilities, common among individual users and businesses alike, make it easier for hackers to compromise multiple platforms using the same stolen credentials.
“Today’s digital age requires all of us to share more and more personal information to carry out daily tasks,” said Sarunas Sereika, product manager at Surfshark, adding “Whether sharing your name and address for food deliveries or phone numbers when booking a haircut, there’s no guarantee businesses are keeping that information safe. In the wrong hands, it can be exploited for identity theft, social engineering scams, or sold on the dark web.”
The study’s findings were derived from over 29,000 publicly available breached databases. Each email address was anonymised for statistical purposes, and treated as an individual account, many of which were exposed along with passwords and other identifiable details.
Although Nigeria has made strides in strengthening its legal framework—most notably through the Nigeria Data Protection Act—the report indirectly highlights the gap between policy and enforcement. Digital hygiene remains weak among users, and many organisations are yet to implement foundational security measures.
The combination of massive historical breaches and ongoing vulnerabilities reinforces calls for a more coordinated national cybersecurity strategy. This includes public education on data protection, stricter enforcement of data compliance among businesses, and the adoption of global security standards across both public and private institutions.
As Nigeria continues to expand its digital infrastructure and online services, experts warn that failure to address the underlying weaknesses could leave millions more vulnerable in an era where data is a prime target for malicious actors.
