Digital Encode Limited, a leading information security and governance, risk, and compliance advisory firm, has issued an urgent cybersecurity warning highlighting multiple security vulnerabilities. The advisory follows a surge in security breaches affecting financial institutions, government agencies, fintechs, and other organizations across Nigeria.
Background of Cyber Threats
Cyber threat actors have recently exposed data purportedly from both private and public institutions in Nigeria, underscoring the growing need for stronger cybersecurity frameworks, proactive threat monitoring, and coordinated incident response measures. Digital Encode's advisory, released yesterday in Lagos, highlighted a troubling pattern: most recent cyber incidents were not driven by sophisticated zero-day exploits, but by preventable weaknesses in basic security configurations, credential management, and operational controls.
Key Findings
According to the advisory signed by the Chief Visionary Officer of Digital Encode Limited, Prof. Obadare Adewale Peter, attackers are increasingly exploiting misconfigured systems and publicly exposed assets. These include unsecured databases, open cloud storage buckets, leaked API keys, and critical servers exposed to the Internet. Many of these are easily discoverable through open repositories, cloud indexing tools, and dark web marketplaces.
The advisory outlined critical areas of concern:
- Publicly accessible cloud storage exposing sensitive customer and operational data
- Hardcoded secrets in web and mobile applications, including API keys and tokens
- Leaked credentials in repositories and deployment artifacts
- Weak internal access controls and over-reliance on single authentication layers
- Exposure of administrative endpoints, API documentation, and development environments in production
- Uncontrolled use of third-party hosting platforms such as Vercel, Netlify, and Render
- Poor token lifecycle management and weak authentication
- Inadequate vendor risk management and monitoring controls
Not a Technology Problem
Digital Encode noted that the vulnerabilities were widespread across organizations, particularly in financial institutions, payment service providers, fintech companies, and public sector platforms, where similar exposure patterns continue to recur. Prof. Obadare emphasized that it was not a technology problem but an execution gap. He stated: "Organizations affected in recent breaches were not compromised due to highly advanced attacks, but due to lapses in enforcing existing security controls. For example, ensuring that no cloud resources linked to organizations—whether AWS S3, Azure Blob, Google Cloud Storage, or Firebase—allow anonymous access, verifying that no cloud credentials or API tokens are exposed in public or private repositories, container registries, or deployed applications, and ensuring that all external and internal APIs enforce authentication and authorization controls at all times."
Recommended Actions
The advisory stressed that most of the risks could be mitigated with readily available tools and best practices, underscoring a critical gap between security policy and implementation. To mitigate this menace, Digital Encode called on organizations to act immediately by:
- Conducting a comprehensive audit of all internet-facing assets, including third-party systems
- Revoking and rotating all exposed or potentially compromised credentials, including passwords, API keys, and access tokens
- Reviewing historical logs to assess the extent of any prior exploitation
- Engaging vendors to address third-party security exposures
- Fixing identified misconfigurations and validating remediation efforts
- Strengthening monitoring, logging, and threat detection systems
- Documenting remediation steps and residual risks for governance and compliance
The firm also emphasized the need for improved visibility into shadow IT and unauthorized deployments tied to employees' accounts, which increasingly serve as entry points for attackers.
