A threat actor, thejackal101, posted a combolist containing more than 13,000 Nigerian email and password pairs on a dark web forum. The post was marketed as “fresh and high quality”, and was shared via multiple file-hosting services.
Unlike a direct breach of a single organization, a combolist is typically compiled from multiple sources, such as previously stolen logs, infostealer dumps, and credential leaks. Cybercriminals put together these records into a single file, making them more useful for credential stuffing attacks and other malicious activities.
After analysis, CyHawk Africa confirmed that the majority of the credentials belong to domains using the .ng top-level domain (TLD). This indicates that the affected accounts span across multiple Nigerian sectors, including:
- Banking & Financial Institutions
- Government Agencies
- Telecommunications Providers
- Educational Institutions (.edu.ng)
- Non-Governmental Organizations
The education sector (.edu.ng) appeared to have the highest number of exposed accounts, reflecting ongoing threats to universities and student email systems.
Combo lists are particularly damaging because they allow attackers to automate login attempts across multiple services. If a user reuses the same password across platforms, a single exposed record can lead to widespread account compromise.
CyHawk Africa advises organizations with .ng domains to:
- Regularly monitor for compromised credentials associated with their organizations on both the clear web and dark web.
- Reset all exposed credentials and enforce strong, unique passwords.
- Deploy multi-factor authentication (MFA) to block credential stuffing attempts.
- Continuously monitor login attempts for anomalies, particularly from foreign IP addresses.
- Provide cyber hygiene awareness to employees and students about the risks of password reuse.
This incident highlights the broader risk of data aggregation in underground markets, where old leaks are repackaged to launch new waves of cyberattacks against organizations.