Digital Encode Limited, a leading information security and governance, risk, and compliance (GRC) advisory firm, has issued an urgent cybersecurity warning on multiple loose ends.

The advisory followed a surge in security breaches affecting financial institutions, government agencies, fintechs, and other organisations across Nigeria.

Cyber threat actors have recently exposed data purportedly from both private and public institutions in Nigeria, underscoring the growing need for stronger cybersecurity frameworks, proactive threat monitoring, and coordinated incident response measures.

But Digital Encode’s advisory, released yesterday in Lagos, highlighted a troubling pattern: most recent cyber incidents were not driven by sophisticated zero-day exploits, but by preventable weaknesses in basic security configurations, credential management, and operational controls.

According to the advisory signed by the Chief Visionary Officer of Digital Encode Limited, Prof. Obadare Adewale Peter, attackers are increasingly exploiting misconfigured systems and publicly exposed assets, such as unsecured databases, open cloud storage buckets, leaked API keys, and critical servers exposed to the Internet, many of which are easily discoverable through open repositories, cloud indexing tools, and even dark web marketplaces.

The advisory outlined critical areas of concern, including publicly accessible cloud storage exposing sensitive customer and operational data; hardcoded secrets in web and mobile applications, including API keys and tokens; leaked credentials in repositories and deployment artifacts; weak internal access controls and over-reliance on single authentication layers; exposure of administrative endpoints, API documentation, and development environments in production; uncontrolled use of Third-Party Hosting platforms such as Vercel, Netlify, and Render; poor token lifecycle management and weak authentication, inadequate vendor risk management and monitoring controls.

Digital Encode noted that the vulnerabilities were widespread across organisations, particularly in financial institutions, payment service providers, Fintech companies and public sector platforms, where similar exposure patterns continue to recur.

Noting that it was not a technology problem, but an execution gap, Prof. Obadare, emphasised: “Organisations affected in recent breaches were not compromised due to highly advanced attacks, but due to lapses in enforcing existing security controls, like, ensuring that no cloud resources linked to organisations whether AWS S3, Azure Blob, Google Cloud Storage, or Firebase allow anonymous access, Verify that no cloud credentials or API tokens are exposed in public or private repositories, container registries or deployed applications, and all external and internal APIs must enforce authentication and authorization controls at all times.”

The advisory stressed that most of the risks could be mitigated with readily available tools and best practices, underscoring a critical gap between security policy and implementation.

To mitigate this menace, Digital Encode called on organisations to act immediately by conducting a comprehensive audit of all internet-facing assets, including third-party systems; revoking and rotating all exposed or potentially compromised credentials including passwords, API keys, and access tokens; reviewing historical logs to assess the extent of any prior exploitation; engaging vendors to address third-party security exposures; fixing identified misconfigurations and validating remediation efforts; strengthening monitoring, logging, and threat detection systems; and documenting remediation steps and residual risks for governance and compliance.

The firm also emphasised the need for improved visibility into shadow IT and unauthorised deployments tied to employees’ accounts, which increasingly serve as entry points for attackers.