Since 2004, approximately 24.1 million user accounts linked to Nigerian individuals have been compromised in data breaches, placing the country third among the most affected nations in Sub-Saharan Africa, according to a new report by Surfshark, a Netherlands-based cybersecurity firm. In the first quarter of 2026 alone, Nigeria recorded 281,500 leaked accounts, ranking it 34th globally during the period. The findings arrive as worldwide breach volumes reach alarming levels - 210.3 million accounts were exposed in just three months, triple the figure recorded in the same period of 2025.
What the Breach Data Reveals About Nigerian Users
The scale of exposure affecting Nigerian internet users extends well beyond account numbers. Surfshark's analysis found that roughly 7.5 million unique email addresses belonging to Nigerian users have been leaked since 2004, accompanied by approximately 13 million compromised passwords. More striking is the granularity of what has been stolen: about 3,900 Social Security-related records, 1,600 payment card details, 1.9 million phone numbers, and over 925,000 residential addresses were among the exposed data categories.
That combination matters because it creates compounding risk. A leaked password is a recoverable inconvenience. A leaked address, phone number, and payment card detail together constitute a usable identity - one that can be deployed for financial fraud, extortion, or account takeovers long after the original breach occurred. The report estimates that 10 in every 100 Nigerians have been directly affected, and notes that more than half of breached users remain actively vulnerable to cyber-related crimes.
The AI Factor: More Data, More Risk
The broader global surge in breached accounts is not happening in isolation. Surfshark's chief security officer, Tomas Stamulis, pointed to the accelerating adoption of artificial intelligence by businesses as a structural contributor to rising data exposure. The share of companies using AI technologies rose from 8.7 per cent in 2023 to 20.2 per cent in 2025 - a shift that has substantially expanded the volume and sensitivity of user data being collected and retained.
AI-driven systems require large, detailed datasets to function - for automation, analytics, model training, and operational efficiency. Each new system an organisation deploys becomes an additional point of vulnerability. "These AI-driven systems collect and log more detailed user information for automation, analytics, and model improvement," Stamulis said. He added that while AI improves productivity, it also multiplies the number of systems that must be secured, creating additional opportunities for cybercriminals to exploit weaknesses.
This is not a theoretical risk. As organisations across sectors - finance, healthcare, retail, logistics - integrate AI tools at speed, security infrastructure has not always kept pace. The result is a widening attack surface, particularly in markets where digital adoption is outrunning regulatory and institutional frameworks designed to protect user data.
Old Data, Lasting Danger
One of the most consequential warnings in the report concerns the long shelf life of stolen information. Stamulis noted that compromised personal data retains value for cybercriminals well after credentials have been changed or accounts have been closed. Hackers routinely aggregate leaked records from multiple sources into what are known as "combo lists" - consolidated databases of personal information that are traded, sold, and repeatedly deployed for fraud and identity theft schemes.
This practice means that a breach from 2008 can still fuel an attack in 2026 if the underlying personal details - names, addresses, phone numbers, partial financial records - have not changed. For Nigerian users, whose residential and contact information appears prominently in the leaked data, this presents a persistent, low-visibility threat that outlasts any single incident.
Surfshark recommended that users limit the volume of sensitive personal information shared online, use masked or alternative email addresses where possible, and avoid submitting confidential data unless strictly necessary. These are precautions that apply universally, but carry particular urgency in environments where institutional recourse after a breach remains limited.
