LAGOS, Nigeria Despite a recent decline in the number of reported data breaches, Nigeria remains one of Sub-Saharan Africas most vulnerable countries to cyberattacks, with a staggering 13 million passwords leaked over the years, according to a new report by global cybersecurity firm Surfshark.
The report, released Thursday, July 31, 2025, shows that more than 150,000 Nigerian accounts were compromised in the first half of 2025 alone.
Although the number of incidents fell sharply between Q1 and Q2from 119,000 to 31,800, a 73% declinethe cumulative data presents a worrying picture of systemic digital insecurity.
In total, 23.3 million Nigerian accounts have been breached since Surfshark began monitoring in 2004, making Nigeria the third most affected country in Sub-Saharan Africa, after South Africa and Kenya.
Out of this number, 13 million accounts had passwords leaked, the report said, highlighting a widespread risk of identity theft, account takeovers, and phishing attacks.
According to Surfshark, 7.3 million unique Nigerian email addresses have been exposed in breaches so far.
The findings suggest that one in ten Nigerians has had their digital credentials compromised, posing serious risks to personal privacy, digital commerce, and national security.
Todays digital age requires all of us to share more and more personal information to carry out daily tasks. In the wrong hands, this data can be used to commit identity theft, for targeted scams, or sold on the dark web, said Sarunas Sereika, product manager at Surfshark.
While Nigeria saw fewer breaches in Q2, the global situation deteriorated significantly. Worldwide, compromised accounts surged from 70 million in Q1 to 94 million in Q2, marking a 34% increase.
The United States led with 42.5 million breached accounts, followed by France (11.4 million), India (1.7 million), Germany (1.3 million), and Israel (1.2 million).
When adjusted for population size, France had the highest breach density, with 172 leaked accounts per 1,000 residents, followed by Israel (130), the US (123), Singapore (26), and Canada (24).
The findings reignite concerns over Nigerias cybersecurity readiness, despite the enactment of the Nigeria Data Protection Act.
Analysts warn that enforcement remains spotty and that basic digital hygiene practices are lacking among users.
The report points to weak passwords, poor access control, and lack of two-factor authentication as the primary causes of breaches.
Cyberthreats are constantly evolving, and attackers are adapting their tactics. Strong security practices, frequent password updates, and enabling two-factor authentication remain essential, Surfshark advised.
The data was gathered from more than 29,000 publicly available breached databases and anonymised for analysis.
Each compromised email was treated as a single account, though many also exposed sensitive details, including passwords, phone numbers, IP addresses, and zip codes.
