Email accounts in Kenya are now among the most breached in the world, new data shows, with the number of transgressions recorded jumping by over 40-fold in 2024 to hit 1.9 million up from 40,527 the previous year.
The data from Netherlands-based virtual private networks firm Surfshark indicates that the number of breaches on email accounts in 2024 was the highest in at least five years, increasing at the fastest pace during the final quarter of the year where a total of 904,817 attacks were recorded.
A breach occurs when an email account has been accessed without the owner’s permission and this could happen due to various reasons, including the use of weak passwords, falling to phishing, or having malware unknowingly installed in a user’s device.
Surfshark, which started recording the breaches in 2004, ranks Kenya at the 78th position globally and seventh on the African continent, with the country having experienced 7.8 million account violations over the 20-year period and 7,453 incidents occurring per 100,000 people.
Mr Gathirwa Irungu, the head developer at local IT firm GIT Software Solutions, links last year’s spike to the aftermath of massive tech job layoffs witnessed through 2022 and 2023, saying unemployed techies with top-notch skills from giant multinationals would naturally turn to online surveillance as an alternative activity.
“We witnessed unprecedented numbers in job layoffs of highly-qualified techies both in 2022 and in 2023 and there were warnings from multiple quarters at the time that this could serve as a fertile breeding ground for threat actors,” Mr Irungu told Business Daily.
“From where I sit, these are part of the results of actions taken back then and I fear it could only get worse, not just here in Kenya, but also globally.”
In February 2023 and at the height of the sackings, a Digital Footprint Intelligence (DFI) study on the net job market commissioned by cybersecurity firm Kaspersky showed that the industry was witnessing a rise in people seeking training courses that would enhance their hacking skills.
The report noted that those signing up for training were taught, among other cyber-attacking skills, how to create malware and phishing pages, compromise corporate infrastructure, and hack companies’ web and mobile applications.
According to Surfshark, the most-pronounced wave of breaches in Kenya last year was in November when international betting platform 1win was hacked, leading to a massive leakage of personal data including punters' names, phone numbers and email addresses.
In scale terms, this was followed by an incident in September when a hacker, identified as Addka72424, casually dropped a collection of 3.3 billion unique addresses weighing about 21.8 gigabytes (GB) from compromised websites, claiming it was a ‘small’ experiment to demonstrate how much public data is currently freely available.
According to Surfshark’s data, South Sudan tops Africa’s list of countries with the most breached online accounts for the 20-year period at 92.8 million, followed by South Africa at 42.2 million. Others are Egypt (25.9 million), Nigeria (23.1 million), Morocco (18.7 million), and Algeria (11.6 million).
The US is the global leader at 4.4 billion hacked emails followed by Russia and China at 3.3 billion and 1.96 billion violated accounts respectively while regionally, Tanzania and Uganda rank positions 118 and 120 at 2.4 million and 2.3 million breached emails respectively.
“Most people use the same email for different accounts when registering online. That is why a single email or account can be breached several times in separate cases, and some numbers may seem too high,” notes Surfshark.
Over the years, the question of cybersecurity has stubbornly remained a pain point for most developing countries where the wave of technological revolution is just taking root.
In Kenya, cybercriminals have grown in number and sophistication, gravely impacting and disrupting the running of both public and private organisations.
The most recent of these attacks is the data leak from the Business Registration Service (BRS), which left sensitive details of over two million firms registered in Kenya between 1967 and 2024 in the hands of hackers.
While the BRS is yet to publicly state the cause of the breach, the Business Daily has established that it resulted from a bug in IT systems, which was exploited by Moldovan firm B2bhint to freely access the data that would have cost a fortune to purchase from the State agency.
