Alleged Data Breach Targets Nigerian Microfinance Firm Fast Credit, Exposing Nearly 1 Million Records
An alleged data breach has surfaced in Nigeria’s financial sector, with threat actors claiming to have compromised Fast Credit Finance Company Limited, a Central Bank of Nigeria (CBN)-licensed microfinance institution. The breach was first publicized on April 25, 2026, via a post on X (formerly Twitter) by the threat intelligence account Dark Web Informer, which tagged the hacker iProfessor and described the incident as one of Nigeria’s largest financial sector breaches.
The attacker is reportedly offering 870 GB of data containing 939,887 records for sale on a cybercrime forum, limited to just five buyers. The stolen data includes highly sensitive customer information, such as:
- Personal identifiable information (PII)
- Government-issued ID scans
- Loan and credit transaction records
- Bank statements
- Customer correspondence and contractual agreements
- Next-of-kin details
- Personal photographs and selfies
Of particular concern is the inclusion of records belonging to Nigerian police officers and law enforcement personnel, raising risks of doxxing, targeted scams, blackmail, and potential threats to officer safety and ongoing investigations. While the breach remains unverified, screenshots shared by the threat actor appear to show sample loan documents and internal records.
As of April 26, 2026, neither Fast Credit, the CBN, nor the Nigeria Data Protection Commission (NDPC) has issued an official confirmation or denial.
A Surge in Cyberattacks Across Nigeria’s Critical Sectors
The Fast Credit breach is part of a wider wave of alleged cyber incidents targeting Nigeria’s financial, government, and educational institutions in early-to-mid 2026. Key attacks include:
- Corporate Affairs Commission (CAC) – Claimed by the group ByteToBreach, which allegedly exfiltrated 25 million files (750 GB), including company ownership records, director details, and beneficial ownership data. The CAC temporarily shut down its registration portal, sparking fears of shell company fraud and weakened anti-money laundering efforts.
- Sterling Bank & Remita – Also targeted by ByteToBreach, with stolen data reportedly including customer accounts, Bank Verification Numbers (BVNs), National Identification Numbers (NINs), and staff records. Remita, which processes government payments, was particularly vulnerable due to its role in handling salaries and taxes.
- Economic and Financial Crimes Commission (EFCC) – A threat actor linked to Nullsec Nigeria (alias “ki4t”) claimed a breach on April 21, 2026, allegedly leaking agent names, phone numbers, operational code names, and password hashes, potentially compromising investigations.
- Lagos State University (LASU) & Federal Housing Authority – Additional targets in the recent spree, indicating that both public and educational institutions are under sustained attack.
Financial institutions like Fast Credit are prime targets due to the high value of loan data, IDs, and personal records for fraud, identity theft, and dark web resale.
Regulatory Response & Broader Implications
The Nigeria Data Protection Commission (NDPC) has acknowledged the surge in attacks, launching investigations into multiple incidents, including the CAC breach. Vincent Olatunji, NDPC’s National Commissioner, has directed a review of access controls, data privacy assessments, vulnerability testing, and third-party processor due diligence.
The NDPC has also issued advisories urging organizations to:
- Appoint trained data protection officers
- Enforce multi-factor authentication (MFA)
- Update software and conduct security tests
- Encrypt sensitive data and maintain backups
If confirmed, the Fast Credit breach could lead to widespread identity theft, financial fraud, and blackmail, particularly given the inclusion of law enforcement records. The EFCC breach similarly raises concerns about operative safety and compromised investigations.
Security experts warn that Nigeria’s digital infrastructure faces systemic vulnerabilities, including:
- Legacy systems and unpatched software
- Misconfigured cloud storage
- Weak passwords and insufficient staff training
With Nigeria losing billions annually to cybercrime and the 2027 general elections approaching, there are growing fears that critical systems like the Independent National Electoral Commission (INEC) could become future targets.
For now, the Fast Credit breach remains unverified, as is common with dark web claims where actors post samples to attract buyers. Official confirmation would require forensic analysis or acknowledgment from Fast Credit or regulators. The NDPC continues to monitor developments, emphasizing cybersecurity as a national priority.
Sterling Bank TPRM report: https://www.rankiteo.com/company/sterling-bank-ltd
Fast Credit Finance Company Limited TPRM report: https://www.rankiteo.com/company/growfast-securities-and-credit-limited
"id": "stegro1777249712",
"linkid": "sterling-bank-ltd, growfast-securities-and-credit-limited",
"type": "Breach",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '939,887',
'industry': 'Financial Services',
'location': 'Nigeria',
'name': 'Fast Credit Finance Company Limited',
'type': 'Microfinance Institution'}],
'data_breach': {'data_exfiltration': 'Yes',
'number_of_records_exposed': '939,887',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personal Identifiable '
'Information (PII)',
'Government-issued ID scans',
'Loan and credit transaction '
'records',
'Bank statements',
'Customer correspondence and '
'contractual agreements',
'Next-of-kin details',
'Personal photographs and '
'selfies',
'Law enforcement personnel '
'records']},
'date_publicly_disclosed': '2026-04-25',
'description': 'An alleged data breach has surfaced in Nigeria’s financial '
'sector, with threat actors claiming to have compromised Fast '
'Credit Finance Company Limited, a Central Bank of Nigeria '
'(CBN)-licensed microfinance institution. The breach was first '
'publicized on April 25, 2026, via a post on X (formerly '
'Twitter) by the threat intelligence account Dark Web '
'Informer, which tagged the hacker iProfessor and described '
'the incident as one of Nigeria’s largest financial sector '
'breaches. The attacker is reportedly offering 870 GB of data '
'containing 939,887 records for sale on a cybercrime forum, '
'limited to just five buyers. The stolen data includes highly '
'sensitive customer information such as personal identifiable '
'information (PII), government-issued ID scans, loan and '
'credit transaction records, bank statements, customer '
'correspondence, contractual agreements, next-of-kin details, '
'personal photographs, and selfies. Records belonging to '
'Nigerian police officers and law enforcement personnel are '
'also included, raising risks of doxxing, targeted scams, '
'blackmail, and potential threats to officer safety and '
'ongoing investigations.',
'impact': {'brand_reputation_impact': 'High',
'data_compromised': '870 GB (939,887 records)',
'identity_theft_risk': 'High',
'legal_liabilities': 'Potential',
'payment_information_risk': 'High'},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes (limited to 5 '
'buyers)'},
'investigation_status': 'Unverified',
'motivation': ['Financial Gain', 'Data Exfiltration'],
'post_incident_analysis': {'root_causes': ['Legacy systems and unpatched '
'software',
'Misconfigured cloud storage',
'Weak passwords and insufficient '
'staff training']},
'recommendations': ['Appoint trained data protection officers',
'Enforce multi-factor authentication (MFA)',
'Update software and conduct security tests',
'Encrypt sensitive data and maintain backups',
'Review access controls and third-party processor due '
'diligence'],
'references': [{'date_accessed': '2026-04-25',
'source': 'Dark Web Informer (X/Twitter)'}],
'regulatory_compliance': {'regulations_violated': ['Nigeria Data Protection '
'Regulation (NDPR)'],
'regulatory_notifications': 'Pending (NDPC '
'investigation)'},
'stakeholder_advisories': 'Nigeria Data Protection Commission (NDPC) has '
'issued advisories urging organizations to improve '
'cybersecurity measures.',
'threat_actor': 'iProfessor',
'title': 'Alleged Data Breach Targets Nigerian Microfinance Firm Fast Credit, '
'Exposing Nearly 1 Million Records',
'type': 'Data Breach'}