Alleged 870 GB Data Leak at Nigerian Microfinance Firm Fast Credit Raises Cybersecurity Concerns

Fast Credit Finance Company Limited, a CBN‑licensed microfinance lender, was named in a Dark Web Informer post that tagged the actor iProfessor. The post offered the data set to just five buyers on a cybercrime forum. The claimed data includes PII, government ID scans, loan and transaction records, bank statements, correspondence, contracts, next‑of‑kin details, and personal photos, with a notable subset belonging to Nigerian police officers.

- Approximate size: 870 GB of data. - Record count: 939 887 entries offered for sale. - Audience: limited to five buyers. - Actor statement: described as one of the biggest hacks in Nigeria’s financial sector (quote from iProfessor). - Official stance: no confirmation or denial from Fast Credit, the CBN, or the NDPC by April 26 2026.

If verified, the exposure heightens risks of identity theft, fraud, blackmail, and potential endangerment of law‑enforcement personnel whose data may be included. The incident fits a broader pattern of alleged breaches against Nigerian financial and government entities in early‑to‑mid 2026, suggesting systemic gaps in patch management, credential hygiene, and third‑party risk oversight.\n ### What Defenders Should Do - Enforce multi‑factor authentication on all privileged and remote access points (MITRE ATT&CK T1078). - Apply the latest security patches for web‑application frameworks and VPNs; prioritize CVE‑2023‑XXXXX‑style flaws commonly exploited in credential‑stuffing attacks. - Deploy network‑based detection for anomalous data exfiltration (e.g., large outbound transfers >100 MB) and monitor for T1041 (Exfiltration Over C2 Channel). - Encrypt sensitive databases at rest and in transit; enforce strict access‑least‑privilege controls. - Conduct regular vulnerability assessments and penetration testing (VAPT) and review third‑party processor contracts for security clauses. - Educate staff on phishing resistance (T1566) and implement email‑gateway sandboxing.