Jeroid's Alleged Data Breach

Jeroid's Data Was Selling for $2,000. Then It Became Free.

On June 26th, the personal and financial data of hundreds of thousands of Nigerians was made freely available online. Not sold. Free! Anyone could and can still download it.

The company? “A fintech most people outside the crypto space have never heard of. Exactly the kind of company people assume nobody bothers with.

Jeroid is a Nigerian fintech and digital asset platform offering cryptocurrency trading, gift card exchange, and digital payment services. It isn’t a tier-one bank. By most definitions, it is exactly the kind of company people assume flies under the radar for threat actors.

What Happened

At some point before June 12th, threat actors allegedly infiltrated Jeroid’s infrastructure and walked out with the data of hundreds of thousands of customers.

On June 12th, they listed it for sale: $2,000.

Sixteen days later, on June 26th, they made it freely available to anyone who wanted it.

The price drop to zero tells its own story. Nobody paid. So instead of a payday, the attackers settled for exposure and now the data is out there for anyone to download, sort through, and exploit.

What Was Taken

This wasn’t a partial leak of email addresses. The scope of what was disclosed is significant.

I. Wallet and account records for 759,900 wallets were included; wallet IDs, user IDs, balances, and cryptocurrency addresses. That last detail matters more than it might seem. Bitcoin addresses are public by design, and anyone can look them up on a blockchain explorer to see every deposit, withdrawal, and balance past and present for every Jeroid’s customer in the dataset. Financial privacy, gone!

II. Customer profile and KYC records for 312,433 users were also disclosed. KYC (Know Your Customer) is the identity verification process fintechs are legally required to conduct. It’s thorough by design. The leaked records include full names, email addresses, phone numbers, BVN, National ID numbers, passport scans, voters cards, driver’s licences, and photographs.

Put those two datasets together and you have more than just someone's account details, you have everything needed to impersonate them.

The threat actor also dropped internal API endpoint paths alongside the data. The URLs in the S3 buckets point back to Jeroid’s AWS environment, and the API paths match their business model closely enough to significantly reduce any doubt about the legitimacy of the disclosure.

How Did This Happen?

The threat actor didn’t walk through the attack step by step, but the disclosure itself points to the likely causes.

Sensitive customer data; KYC files, financial records was reportedly sitting in publicly accessible S3 buckets on AWS. That means the data wasn’t behind authentication. It was, in effect, open to anyone who knew where to look. Combine that with what vulnerabilities in public-facing systems, and the picture that emerges isn’t of a sophisticated nation-state attack.

The threat actor also made a pointed accusation: that Jeroid is used by cybercriminals in Nigeria to launder scam proceeds. Whether that claim is accurate or not, it signals that Jeroid was a deliberate target not a random one.

The Legal Dimension

The Nigeria Data Protection Act (NDPA) 2023 places a clear obligation on organisations to implement appropriate safeguards for the personal data they hold. Storing KYC documents; passports, BVNs, NINs in publicly accessible cloud storage is not an appropriate safeguard by any reasonable interpretation of that standard.

If this breach is confirmed, the NDPC would have legitimate grounds to investigate. The exposure of this volume and sensitivity of data, potentially caused by a basic misconfiguration, is exactly the kind of failure the NDPA was designed to address.

What Jeroid Needs to Do

Right now:
Verify the breach and understand the full scope; how many customers are affected, exactly what data was exposed, and whether access has been closed off. Any misconfigured S3 buckets, exposed APIs, or publicly accessible databases need to be locked down immediately.

Then:
Notify affected customers directly and honestly. They need to know their passport scans and BVNs are potentially in the hands of strangers. A vague “we take security seriously” statement is not enough.

Following that:
Conduct a proper root cause analysis and act on the findings. Not a checklist exercise, a genuine audit of how sensitive data ended up publicly accessible and what else might be exposed that hasn’t surfaced yet.

If you have any question or comments, kindly drop them here:

PS: All technical details were drawn from the public disclosure.