More than 24 million Nigerian user accounts have been compromised in data breaches since 2004, placing the country third among the most affected nations in Sub-Saharan Africa, according to a new report by cybersecurity firm Surfshark. The findings, drawn from an analysis of global breach trends for the first quarter of 2026, arrive as the volume of exposed data worldwide surges to levels that should alarm governments, businesses, and ordinary internet users alike. Between January and March 2026 alone, Nigeria recorded 281,500 leaked accounts - enough to rank it 34th most breached nation globally for the period.
The Scale of Exposure Goes Far Beyond Account Numbers
Raw figures rarely capture what data breaches actually cost people. Behind Nigeria's 24.1 million compromised accounts sits a far more troubling dataset: approximately 7.5 million unique email addresses exposed since 2004, roughly 13 million leaked passwords, 1.9 million phone numbers, more than 925,000 residential addresses, around 3,900 Social Security-related records, and 1,600 payment card details. This is not abstract information - it is the raw material of identity theft, financial fraud, and targeted extortion.
Surfshark's analysis notes that more than half of breached Nigerian users remain vulnerable to cyber-related crimes, meaning the damage does not end when an incident is reported or a password is changed. The report's summary statistic is blunt: statistically, 10 out of every 100 Nigerians have been affected by a data breach. For a country with a large, fast-growing digital population and an expanding base of mobile financial services users, that figure represents a structural risk rather than a one-time event.
A Global Surge Driven by AI Adoption and Expanding Data Footprints
Nigeria's exposure does not exist in isolation. Globally, 210.3 million accounts were breached in the first quarter of 2026 - a figure that tripled compared to the same period in 2025 and rose 22 per cent from the preceding quarter. The United States accounted for 29 per cent of all reported breaches worldwide, followed by France, India, Brazil, and the United Kingdom. The trend points to systemic vulnerabilities that accelerating technology adoption is making worse, not better.
Surfshark's Chief Security Officer, Tomas Stamulis, identifies artificial intelligence as a significant contributing factor - not as a cause of attacks, but as an amplifier of risk. The share of companies using AI technologies rose from 8.7 per cent in 2023 to 20.2 per cent in 2025. As businesses integrate AI-driven tools for automation, analytics, and operational efficiency, they collect and retain larger, more detailed datasets. Each new system that stores user data is also a system that must be secured. The more systems an organisation runs, the wider the surface available to attackers.
"These AI-driven systems collect and log more detailed user information for automation, analytics, and model improvement," Stamulis said, adding that compromised personal information frequently retains value long after credentials are changed. Cybercriminals routinely combine old and newly leaked data into so-called "combo lists" - aggregated files that are traded or reused repeatedly across fraud schemes and account hijacking attempts.
What Nigerian Users and Institutions Need to Do Differently
The policy and behavioural responses to sustained data exposure are well established, though consistently under-applied. Surfshark recommends that users limit the volume of sensitive personal information shared online, use email masking or alternative identities where services allow, and provide confidential information only when genuinely necessary. These are basic measures, but the scale of historical leakage in Nigeria - particularly phone numbers and residential addresses - suggests they are not yet standard practice.
At the institutional level, the findings reinforce arguments that have been made about Nigeria's data protection framework. The Nigeria Data Protection Act, signed into law in 2023, established clearer obligations for organisations that collect and process personal data, including breach notification requirements. Enforcement, however, remains the harder challenge - and breach statistics of this magnitude suggest that many organisations handling Nigerian user data, whether domestic or foreign, are not meeting adequate security standards.
The broader implication of Surfshark's report is not that digital activity should be curtailed, but that the infrastructure supporting it - legal, technical, and organisational - must be brought into closer alignment with the actual risk environment. As AI adoption continues and datasets grow larger, the cost of that misalignment will only rise.
