Why Meta is in trouble in Nigeria and what this means for Facebook, Instagram and WhatsApp users

Meta, the parent company of Facebook, Instagram and WhatsApp, was recently hit with three fines totalling more than US$290 million in Nigeria. The fines were imposed by Nigeria's Federal Competition and Consumer Protection Commission, Nigerian Data Protection Commission and the Advertising Regulatory Council of Nigeria. Meta was accused of invasive practices against data subjects and consumers in Nigeria. The company denied the allegations and has challenged the fines in court.
Entrepreneurship and international business researcher Tolu Olarewaju and professor of entrepreneurship Jagannadha Pawan Tamvada explain the implications of the fines.
The trouble began on 4 January 2021 when WhatsApp updated its privacy policy to introduce mandatory data-sharing with Facebook (now Meta) and its subsidiaries. The main change allowed WhatsApp to share user business interaction data with Facebook for marketing and advertising purposes.
The updated policy did not include an opt-out provision. It was a 'take it or leave it' policy. In other words, if users did not consent to the updated terms, they would no longer be able to use WhatsApp. This triggered a Federal Competition and Consumer Protection Commission investigation into Meta, conducted jointly with the Nigeria Data Protection Commission. The probe was conducted from May 2021 to December 2023.
Meta has allegedly not complied with the Nigeria Data Protection Commission, and failed to appoint a Data Protection Compliance Organisation. That's an entity licensed to assist data controllers and processors in achieving compliance with Nigeria's data protection regulations. And it has not submitted its mandatory Nigeria Data Protection Regulation reports for two consecutive years.
Nigeria is the most populous country on the continent, with about 236 million people. It has about 107 million active internet users. The most used social media platforms at the end of 2024 were WhatsApp, Facebook, TikTok, Instagram and Telegram.
Meta owns WhatsApp, Facebook and Instagram and has threatened to pull Facebook and Instagram services from the country.
The Federal Competition and Consumer Protection Commission has said quitting Nigeria won't absolve Meta of its liability.
Facebook has about 51.2 million users in Nigeria, while Instagram has about 12.6 million.
The investigation uncovered several violations. These included:
Unauthorised data sharing: Meta was found to have shared Nigerian users' personal data without their consent. This included cross-border transfers and storage, violating the Nigeria Data Protection Commission and the Federal Competition and Consumer Protection Act.
Discriminatory practices: Meta allegedly treated Nigerian users differently from those in other jurisdictions with similar regulations. Meta currently offers stronger privacy protections in the European Union due to the General Data Protection Regulation. Nigerian regulators have highlighted this double standard.
Denial of data self-determination: The company was accused of denying Nigerian users the right to control how their data is used, compelling them to accept exploitative privacy policies.
Abuse of market dominance: The Federal Competition and Consumer Protection Commission said the company abused its dominant market position to enforce unfair privacy policies.
Tying and bundling: Meta was found to have engaged in tying and bundling practices, which are considered anti-competitive. Tying occurs when a company requires customers to buy a secondary product or service as a condition of buying a primary product or service. For example, if Meta required users to accept Facebook's terms and automatically enrol in WhatsApp or Instagram services (or allow data sharing across them) to use Facebook, then that could be considered tying. This is because it can limit consumer choice, stifle competition, and force people to accept products or terms they don't want.
Bundling occurs when a company sells multiple products or services together as a package, or makes it difficult to buy them separately. For example, Meta might bundle multiple services like Facebook, Instagram and Messenger in such a way that users must accept a single privacy policy that covers all, even if they only use one service. This can shut out smaller competitors and prevent users from choosing alternatives.
After remediation efforts failed, the Federal Competition and Consumer Protection Commission issued its final order in July 2024. It imposed a US$220 million fine along with penalties from other agencies, bringing the total to US$290 million.
In addition to the fine, the commission has ordered Meta to comply with Nigerian laws and cease practices it described as the 'exploitation' of Nigerian consumers.
After completing its inquiry, the agency shared its findings with Meta. The company proposed a 'remedy package'. But the commission rejected this as inadequate.
Meta has failed to localise its data practices. It appears dismissive of Nigerian sovereignty and regulatory authority. For example, Meta has been transferring Nigerian users' data overseas without protecting them as required by Nigeria.
Meta's estimated annual revenue in Nigeria is between US$200 million and US$300 million. However, many Nigerians in the diaspora use Facebook and Instagram to communicate with people inside the country. Revenue from those users is likely to raise the figure considerably.
The company has faced similar sanctions for data violations worldwide, including a US$1.4 billion fine in Texas and a US$1.3 billion fine in Europe.
It has also been penalised in India, South Korea and Australia.
Meta now faces heightened scrutiny from Nigerian regulators. It will have to adhere more strictly to local data protection and consumer rights laws. This includes appointing a Data Protection Compliance Organisation and submitting mandatory audit reports as stipulated by the Nigerian Data Protection Regulation.
The three fines and regulatory measures may also compel Meta to reassess its operations in Nigeria. It might adjust its services to align with local laws.
Meta has also been ordered, by the courts, to reimburse the Federal Competition and Consumer Protection Commission US$35,000 for the cost of the investigation. And it has been told to take the following measures:
reinstate the rights of Nigerian users to determine the control and use of their data without losing functionality or deleting the application
set its privacy policy to comply with data protection laws in Nigeria
stop sharing WhatsApp users' information with other Facebook companies and third parties until users have actively consented
revert to the data sharing practices adopted in 2016, including establishing an opt-in screen
terminate the tying and transfer of data without consent
add a visible link on its platforms for Nigerian users, leading to educational content about the risks of manipulative and unfair data practices. These videos will be developed in collaboration with approved NGOs and academic institutions.
Other social media entities operating in Nigeria will be watching closely to see what's required.
Many Nigerian businesses and entrepreneurs use Facebook and Instagram for marketing, customer engagement and sales. The platforms offer cost-effective advertising and direct communication channels with customers.
These platforms also provide valuable analytics on customer behaviour, content performance and demographics. Businesses use these services to refine their marketing strategies and make data-driven decisions.
Content creators in Nigeria use Facebook and Instagram to build audiences, monetise content and collaborate with brands. The African creator industry, valued at £2.4 billion in 2024, is expected to grow significantly.
Afrobeats has also gained popularity across Nigeria and globally with the assistance of these platforms.
Nigeria's ecosystem of homegrown and African social media platforms is growing, offering local alternatives to global giants like Facebook and Instagram. While none match their scale, platforms like Crowwe, ChatAfrik and Nairaland are making strides in content sharing, chat, forums and business promotion.
The information and communications technology sector contributed about 20% to Nigeria's real gross domestic product in the second quarter of 2024. The rapid expansion of the digital technology industry in recent years highlights its strong potential to stimulate economic growth.
Nigeria's digital economy has also seen significant growth due to increased internet access and mobile usage.
This article is republished from The Conversation, a nonprofit, independent news organization bringing you facts and trustworthy analysis to help you make sense of our complex world. It was written by: Tolu Olarewaju, Keele University and Jagannadha Pawan Tamvada, Kingston University
Read more:
How pro-Europe, pro-US Poland offers the EU a model for how to handle Trump
From prototype to construction site: how innovative smart materials make it out of the lab and into our cities
What's the obscure Australian online safety standard Elon Musk's X is trying to dodge in court? An expert explains
The authors do not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.

Try Our AI Features

Explore what Daily8 AI can do for you:

Learn with AIFact CheckingText to SpeechAI Summary

Related Articles

Yahoo

7 hours ago

• Yahoo

Major warning over $50,000 act during popular Aussie travel period: 'Risky'

Australian travellers are being urged to rethink getting personal loans to pay for their winter travel plans. Nipping over to Europe or the US to escape the cold is a well-trodden path that thousands take every year. But some aren't spending months to save for the holiday and are instead taking out loans to ensure they can live life to the fullest. Tax expert Kiki told Yahoo Finance this can have huge ramifications down the line if you want to buy a home. "It's a bit risky taking out a loan, especially in this environment where the banks are quite strict with borrowing capacity, and taking out a personal loan of $50,000 will definitely impact your borrowing capacity," she said. Outrage as young Aussie spends $50,000 'house deposit' on Europe trip Centrelink age pension changes coming into effect from July 1 $1,000 ATO school fees tax deduction that Aussies don't realise they can claim "If they're going on a holiday just to have a break and take some pictures, and it's not for a family reunion or anything of that sort, then I think it's a bit silly." Fifty grand might sound like a ridiculous amount to spend on a jaunt to Europe, but this number was cited by some on social media. Brooklyn posted a TikTok asking how people managed to afford to go away every single it just sneaky savings hacks? Racking up credit card debt? Staying in the cheapest, nastiest hostel and eating bread every day? Everyone had their personal trick, but one person said, "I know a lot of girls take out $50,000 personal loans just to go." Another added: "I know of people who took out $50,000 to go on trips, absolutely astounding." The answer absolutely floored Brooklyn, especially considering she had budgeted just $16,000 for two people to spend 10 weeks in Europe. "Is this genuinely something people are doing? Like, I save diligently, I don't really drink, I don't really go out and do any of those things, and I can't afford to go on these massive holidays every year," she said. Data from Finder revealed Aussies have slowly been taking out more in personal loans for their holidays and travel plans. In January 2020, Aussies were approved for $35 million worth of personal loans for getaways alone. While that's a lot, it's nothing compared to the $1.1 billion taken out for car loans in the same month. Personal loans for travel obviously took a massive dip during the pandemic, but ever since July 2021, the total amount taken out has been steadily increasing. The latest data showed $59 million was approved just in July, 2024. Kiki said people are too often trying to 'keep up with the Joneses' and con themselves into these huge holidays just because others are jet-setting at the same time. Finder actually discovered more than 2.14 million people would go into debt to pay for their holidays. A further 5 per cent of Aussies, more than one million people, said they felt pressured to organise travel plans they couldn't afford. Personal finance expert Sarah Megginson told Yahoo Finance you need to be very careful going down this route as it can be a slippery slope. "A growing number of Aussies are drowning in debt to be able to travel," she said. 'While it's tempting to splurge on a holiday, taking out credit to do so can cause long-term financial consequences and keep you stuck paying off debt for months or even years." When Brooklyn uploaded her video, some Aussies weren't too fazed by the $50,000 admission. "I'm happy for them. As long as they pay it back who cares? Life is for living," wrote one person. "When it's that or waiting 5 years to save — take the loan! See the world! Life is too short," added another. But Kiki said this laissez-faire attitude towards loans isn't the best outlook. "People just don't realise the impact it has on them when they come back from the holiday, which is the concerning part," she told Yahoo Finance. "If you want to go on a holiday, then save for it, and then you won't have to stress about the aftermath of coming back and having to deal with this loan that is probably anywhere between two to five years of repayments." Having debt hanging over your head for that length of time can take a huge toll on your finances and mental health. Kiki said you can keep costs down by booking flights well in advance, checking the same accomodation on multiple sites for the lowest price, finding free walking tours, or going just before or after peak season. Also putting any savings into a high interest account can boost your money as much as possible. That was another point many raised on TikTok. They're both credit and yet it's personal loans that seem to be demonised, some said. However, Kiki explained that if you're putting all your travel expenses on a credit card, you're at least getting the frequent flyer points. You could rack up enough points that flights for your next holiday are a fraction of if you bought them outright. You can also get certain travel insurance when booking with a credit card, and some cards have interest-free periods if you pay off your debt in full each month, which is not usually available with personal loans. Credit cards and personal loans can carry incredibly high interest repayment rates, with some north of 20 per cent, however, there are some in the 5-10 per cent range, depending on a few factors. But Kiki said optics can play a role if you want to get a mortgage a few years after that big Europe holiday. "The bank might ask why was this loan taken out, and if the answer is, 'For a holiday', then they might perceive that behaviour as not someone that is financially stable," she said. The same can and will happen if you have loads of credit card debt. But the difference is you will have a credit card debt at the end of your holiday based on exactly what you've spent, compared to potentially overestimating how much you'll need for the in retrieving data Sign in to access your portfolio Error in retrieving data

Yahoo

7 hours ago

• Yahoo

‘Life is full of unexpected surprises': People trying to call Iran meet mysterious voice message

People trying to call friends and loved ones inside Iran have instead been met with strange, pre-recorded voice messages, which some experts believe may be part of the regime's wider internet blackout. In a recording of a telephone call heard by CNN, a person outside of Iran hoping to hear their friend's voice on the other line, was instead met with a robotic voice. 'Hello, and thank you for taking the time to listen,' the voice says. 'Life is full of unexpected surprises,' it continues, 'and these surprises can sometimes bring joy while, at other times, they challenge us. 'The key is to discover the strength within us to overcome these challenges.' The unsettling message, which lasts nearly 90 seconds, then goes on to recommend the listener close their eyes and imagine themself in a place that brings them 'peace and happiness.' While different variations have been reported, this version appears to have been the one most commonly heard by people outside Iran placing calls to mobile phones inside the country on Wednesday and Thursday. No similar message was reported when calling landlines. The messages were widely heard after Iran imposed nationwide temporary restrictions on internet access on Wednesday, citing security concerns. This meant WhatsApp was down, so people abroad began calling their friends and family in Iran directly, rather than via the app. The message is reportedly not heard if the call is made through an app. The initial assumption for many Iranians was that the messages were the result of an Israeli cyberattack. Others see the Iranian authorities as being behind them. Alp Toker, the founder and director of NetBlocks, a non-governmental organization that monitors internet governance, believes the messages are an attempt by the Iranian government to limit telecommunications, as part of the wider internet censorship measures. 'The point is, when the internet is cut, the phones need to go somewhere, and that will go to the fallback message on the device,' he told CNN. Toker added it was a phenomenon NetBlocks had seen in different places around the world when internet access was cut. 'Sometimes it will have an advert for summer vacations and sometimes it will have some other nonsense,' he said. According to Toker, the messages are text-to-speech generated. He believes they appear to have been set up rapidly. 'It's in the format of a normal gateway answering message of the type you might get from a national gateway when a phone doesn't answer,' he said. 'It seems that they've gone with the settings, and there's a little box where you can put in the settings and they've put something in there, pre-AI generated.' Meanwhile, a UK-based telecommunications expert who listened to a recording of the most commonly heard message told CNN that 'the call appears to be hijacked after the second ring, which is highly unusual and deeply concerning. This suggests interference at the network level – well before a proper connection is established.' The expert asked not to be named for safety reasons. Neither Israel nor Iran has made a public statement on the recorded phone messages. Access to international internet services had been partially restored in parts of Iran on Saturday 'after approximately 62 hours of severe disruption,' NetBlocks said. 'While some regions have seen improvements, overall connectivity remains below ordinary levels, continuing to hinder people's ability to communicate freely and access independent information,' it added. The semi-official Tasnim news agency reported that international internet services would resume by 8 p.m. local time Saturday, citing the communications minister. However, Tasnim later reported that this was not the case, citing the same minister. According to the communications ministry, Iranians abroad can now contact their families inside Iran through domestic messaging apps. The Iranian government has frequently restricted internet access in the country. During nationwide protests in 2022, authorities implemented multiple internet shutdowns in an effort to stifle dissent.

Yahoo

7 hours ago

• Yahoo

16 billion password data breach hits Apple, Google, Facebook and more — LIVE updates and how to stay safe

When you buy through links on our articles, Future and its syndication partners may earn a commission. The news of a massive 16 billion data breach that exposed login credentials from Apple, Google, Facebook has made record as one of the largest data breaches in history. Cybernews reports that records from over 30 databases have been stolen, with each containing up to 3.5 billion passwords from social media and VPN logins to corporate platforms and developer platforms. The recent data breach contains a massive amount of information that can affect billions of online account, as cybercriminals now have access to a mass amount of login credentials. This puts users at risk of further malicious behavior from phishing attacks, social engineering and identity theft. Here are the latest updates on what we know about the data breach, how to find out if you're affected and how to stay safe. Currently, nearly all major platforms have been affected by the breach, including Apple accounts (formerly Apple IDs), Gmail, Facebook accounts and GitHub as well as instant messaging platforms like Telegram and both commercial and government platform portals. The data appears to contain URLs, usernames and passwords. However, with the unfathomable size of the data that's been exposed, there's no way to tell how many accounts are currently under threat. The stolen data appears to come from several infostealers, and while the datasets are new, the sheer amount of info could also be from a mix of different datasets from previous breaches, including a database containing 184 million records discovered in May this year. With the 16 billion login credentials now being exposed, it's important to check if your account has been exposed and to stay safe. First, the best way to keep your account secure is to enable two-factor authentication (2FA). This will stop threat actors from easily accessing your online accounts, as a second form of authentication through an app, phone, passcode or a physical USB key will need to be approved by you. If you haven't already, find out how to enable 2FA right now. Second, to find out if your login credentials have been affected, use Have I Been Pwned and check if your email is in the clear. If you are at risk, immediately change your password, delete unused accounts and consider using one of the best password managers to secure your online accounts. Security researchers have identified what they call "one of the largest data breaches in history", which includes more than 16 billion logins that include Apple credentials. According to a report from Cybernews, the staggering amount of information is contained in numerous datasets that have been uncovered since the start of the year. So far, the researchers have discovered 30 datasets, each containing up to 3.5 billion records. This includes everything from social media and VPN logins to corporate platforms and developer platforms. 'This is not just a leak — it's a blueprint for mass exploitation," the researchers told Cybernews. The easiest way to find out if your email and password are affected in this mass data breach is to use Have I Been Pwned. It's a free service that collates data from hacks and can also send you alerts when your online account is at risk. The site will notify you if your email is involved in the breach, and you can also check if your password has been exposed through Pwned Passwords. You can do a manual check right on the site, but we also recommend using the Notify Me service to make sure your accounts aren't affected in the future, too. With 16 billion login credentials being exposed, there's a big chance that your account is at risk. If left unchecked, cybercriminals can gain access to your accounts, leading to phishing attacks, identity theft, ransomware and more. To counter this, change your passwords immediately, especially if you reuse passwords for multiple accounts. It's a good idea to use a strong, complex password with a mix of numbers and symbols, and use PasswordMonster's Password Strength Meter to see how effective it is. To manage it all, it's a good idea to use one of the best password managers, as these will store, secure and autofill your passwords, and they also support passkeys across accounts. We reached out to security researcher and owner of Volodymyr Diachenko, about the data breach, who explains that it wasn't just from one infostealer malware, but many: "First things first — it wasn't a single source of exposure. This is not about the number (though it is scary!), but the scale and rise of infostealers infections these days," Diachenko states. "What this number reflects is the size of different infostealers datasets exposed publicly since the beginning of this year alone. They were observed by me and my team via passwordless repositories left exposed inadvertently." The data breach is known to have come from various infostealers. As per reports, infostealers are what caused the exposure of login credentials. This is a form of malware that can secretly steal sensitive data like passwords or chat logs and send them back to hackers. Cybersecurity expert Diachenko states: "It comes from various infostealers logs. Probably a backend infrastructure left exposed. Elasticsearch is a good environment to query such logs." While this is named the largest data breach in history, the 16 billion login credentials were only exposed "briefly," according to researchers in the Cybernews report. However, it's still long enough for threat actors to gain information and to put accounts at risk. "The only silver lining here is that all of the datasets were exposed only briefly: long enough for researchers to uncover them, but not long enough to find who was controlling vast amounts of data," Cybernews states. Along with this, out of the 30 datasets discovered, the majority of these were temporarily accessible through Elasticsearch, which is a free and open-source search engine, or "object storage instances." Earlier this month, Google released a survey detailing the growing awareness of the threat from scams in the U.S., stating that over 60% of users in the U.S. have seen an increase in scams over the past year. While many have seen scams through SMS texts, 61% state they have been targeted through emails. Plus, the survey notes that one-third of those experiencing an increase in scams have "personally experienced a data breach." What's more, the FBI also states that online scams have seen a 33% rise last year, with a total of $16.6 billion being stolen. In light of this data breach, there could be a major rise in phishing scams or account takeovers. This is why Google has warned users to change their passwords and rely on other forms of authentication, including passkeys. The datasets with exposed login credentials contained old and recent infostealer logs, and as Diachenko points out: "Credentials we've seen in infostealer logs contained login URLs to Apple, Facebook, and Google login pages.' Many of the data sets contained other specific information. One dataset was named after Telegram with 60 million records, another was labeled with a name relating to the Russian Federation with 455 million records and one with the largest amount of records at 3.5 billion is said to have a connection to a Portuguese-speaking population, as Cybernews reports. However, many datasets were also simply named "logins" and "credentials" with massive amounts of information. There's no way to tell what services these are for, and considering the billions of credentials leaked, there's reason to believe that accounts for any platform online are at risk. With infostealers being the cause of the mass data breach, it's best to know how to keep your PC secure from the malware. Trusted downloads: Only download software through legitimate websites and sources. Stay clear of suspicious emails: Never click on unexpected links or attachments. Make sure you know the signs of phishing emails. Update your system: Whether it's on your iPhone, Android phone, Windows laptop or MacBook, keep your system up to date with the latest security patches to stay secure. Use a VPN: Virtual private networks can mask your identity online, making it harder for threat actors to track you down. Be sure to use one of the best VPNs. Download antivirus software: This can keep many forms of malware at bay, including known infostealers. You can check out the best antivirus software for your system. Enable 2FA: In case your login credentials are caught in the data breach, enabling two-factor authentication will make it harder for cybercriminals to access your online accounts. We've seen major data breaches before, including the RockYou2024 leak exposing nearly 10 billion passwords with a mix of old and new records, along with the previous RockYou2021, which kicked off with 8.4 billion passwords. Recently, the largest ever data leak hit China and exposed more than 4 billion user records. This breach included financial data, WeChat and Alipay details as well as sensitive personal info like IDs, birthdates, phone numbers, and residential data. This 16 billion password data breach is one of the largest in history, but last year we reported on the supermassive Mother of all Breaches (MOAB), which contained 26 billion records or 13 terabytes of data taken from previous leaks, breaches and hacked databases. Data breaches aren't anything new, and one of our team has been hacked before. This was due to Adobe being hacked and the attackers getting a list of 153 million usernames and passwords in 2013. If you're worried about the 16 billion data breach, you can find out the best steps to take to prevent being hacked and improve your online security. Some essential tips include signing up for Have I Been Pwned, staying clear of reusing passwords, deleting unused accounts and making sure to enable two-factor authentication. Many companies, including Google, Apple, and Microsoft, are using passkeys to reduce the growing risk of phishing attempts, as login credentials in data breaches that cybercriminals use can lead to account takeovers. In fact, Microsoft is now making passwordless the default for new users. Niall McConachie, regional director (UK & Ireland) at Yubico (the company behind the YubiKey), reached out to weigh in on the data breach: 'As this huge data breach shows, passwords are just not good enough to protect our most important personal details and secure our online presence," McConachie states. "By continuing to rely on passwords, huge data breaches like this will persist — and they'll only get worse. McConachie continues: "As we rely on the internet more and more for critical services, users should opt for the highest-assurance authentication method to ensure their data is fully protected and not at risk of being accessed by cyber criminals. 'Instead of relying on passwords or legacy MFA to keep accounts safe, users must be encouraged to protect their accounts with device-bound passkey options like physical security keys." Since news broke about the data breach, it's been difficult to tell if login credentials included accounts from Apple, Google, Facebook and more. But Cybernews has now shared screenshots of the datasets (not including personal info, of course). These datasets show that there are URLs to Facebook, Google, Github, Zoom, Twitch, and other login pages. However, with the amount of data that is being exposed, the number of platforms that are affected is uncertain. As previously noted, there's reason to believe that every major platform has been affected by the data breach. A recent report from cybersecurity site BleepingComputer indicates the 16 billion password data breach actually isn't new, with the data instead likely to have been circulating for years. The data may have been collected by cybercriminals and researchers and repackaged into the massive database, only for this to be exposed online. The infostealers involved in compiling the login credentials, such as usernames and passwords, may have been collected over time, with different archives being into the massive database. Cybernews states that the data in the breach is recent and "not merely recycled from old breaches," but some data could be overlapping. Either way, many credentials were exposed in the breach, so it's a good idea to secure your accounts, change your passwords and stay safe. One of the key risks of a data breach this big is how easily cybercriminals will be able to access multiple accounts, especially for those who reuse passwords. A survey from NordPass indicates that as many as 62% of Americans, 60% of Brits and 50% of Germans admit to reusing passwords across multiple online accounts. Ignas Valancius, head of engineering at cybersecurity company NordPass, had this to say: 'Users must be extra careful because information in the leaked datasets opens the door to pretty much any online service, from Facebook and Google to GitHub and Telegram. Even some government platforms were compromised. 'I recommend changing passwords immediately before the threat actors start poking around in your accounts. You need to act fast because platforms like Google, Apple, or Facebook are the gateways to your entire digital life, especially if you store passwords in browsers and don't use multi-factor authentication (MFA) or passkeys. 'If hackers manage to get their hands on your password for Google, Apple, or Facebook, stealing your money and identity may be easier than taking candy from a three-year-old." While not part of the 16 million passwords leaked in the data breach we're covering, BleepingComputer reported on another confirmed data breach, this time from Krispy Kreme. According to the report, over 160,000 individuals were impacted by a November 2024 cyberattack, with attackers (apparently claimed by the Play ransomware gang) stealing personal information. The U.S. chain sent notifications to the people who were affected. Data breaches are on the rise, and the recent massive leak of login credentials across multiple platforms shows that now's the time to stay safe online. Make sure you're using one of the best VPNs and best antivirus software to keep your accounts secure. Though it can be scary to know that your data is out there on the web, circulating amongst hackers, there are steps you can take to protect yourself. First, as we've mentioned below, make sure you're changing the passwords to your accounts and using unique, strong passwords for each account. When possible, use passkeys instead. Always use two-factor or multi-factor authentication when an account has it available. As with all data breaches, the biggest threat will be phishing attacks and online fraud. Avoid clicking on links or downloading attachments from unknown senders as hackers often set up fake pages to steal your credentials, credit card data and other sensitive info. Never click on any unexpected links, attachments, files or QR codes from people you don't know. You also want to be wary of people on social media who may reach out to you with offers or those who want you to download or click on files or attachments. If you receive something that appears to be from someone you do know, confirm it with them in an independent manner like calling them on the phone, or texting them. If you haven't signed up for one of the best identity theft protection services, now might be a good time to look into them. You can also consider putting fraud alerts on your files with the Big Three credit-reporting agencies Equifax, Experian and TransUnion, and even instituting a credit freeze (although doing so can complicate getting a loan or opening new payment accounts). When going online, make sure you have one of the best antivirus software programs installed and up to date since these programs often include a have VPN, password manager, secure browser and other extra security tools to help keep you safe online. As more and more companies realize how easy it is to breach passwords, how frequently users reuse them – or use weak passwords – they have begun moving to a stronger method: passkeys. Microsoft recently announced that the Authenticator app will shut off the password autofill feature in July, a move that the company is likely making as it moves towards a passwordless future. And Google recently issued a security warning encouraging users to enable two-factor authentication or risk an account lock down; Google's VP of privacy Evan Kotsovinos was quoted as saying another good step to make your account even more secure is to replace your password entirely. Kotsovinos' recommendation is to trade your password in for a passkey, which involves using your biometric information like your fingerprint or facial recognition alongside a trusted device like your smartphone. To that end, Facebook announced this week that it would soon be rolling out passkey login's for its users, making it both easier and more secure to sign in to its services. Facebook users should soon see the option to enable passkey login's in the Account Center, from the Settings of their Facebook accounts on their mobile devices, and the option will also get rolled out to Messenger, and eventually Meta Pay. The Facebook passkey will work with the same fingerprint, facial recognition or PIN technology that you use to unlock your device. Because they're stored on your device, they cannot be guessed, cracked or shared. However, if you still wish to use a password, you can. If, like our own James Frew, you have also committed the security sin of reusing passwords or have used an unsecure Wi-Fi, or some other less-than-safe computer behavior, and wound up getting hacked, you might wonder what you should be doing next. Here's everything James did to re-establish a safe, secure computing environment for himself and make sure he was practicing safe computer habits. 1. Don't reuse passwords 2. Enable Two-Factor Authentication 3. Delete unused accounts 4. Sign up to Have I Been Pwned 5. Start fresh Checking your phone and seeing that 16 billion passwords have been leaked online is enough to give anyone a proper scare. However, when you're dealing with a data breach or data leak as massive as this one, it's important to put things in context before you Spadafora here and I've been covering cybersecurity news for over a decade. During that time, I've seen a lot of massive security incidents like this one. However, there's one thing a lot of them have in that no brand or company is mentioned outright in our coverage here at Tom's Guide and at other news outlets across the web, this is an easy giveaway that this isn't a new breach or leak but instead a collection-style one. In this case, it's likely not brand new data being exposed online but passwords and other personal info from previous security incidents. This data is then repacked in a way that's easier to search through and simpler for other cybercriminals to use in their attacks. For instance, similar collections like the RockYou2024 leak with 9 billion records and Collection #1 with more than 22 million unique passwords were distributed this way in the this doesn't mean you shouldn't swap out your simple passwords with strong and complex ones or take a hard look at your online security habits. It just means that you shouldn't worry too much as there's a high chance that a lot of these 16 billion credentials were already exposed online and likely for sale on the dark web. So instead of being scared, let this be the powerful catalyst you need to transform your online security – by changing your passwords (or better yet switching to passkeys), locking down your online accounts with 2FA, deleting unused accounts and apps, and sharpening your ability to spot a phishing scam. With billions of passwords floating around online, you may be wondering what steps you can take to improve your online security. If that's the case, chances are you might be considering investing in antivirus software or even identity theft protection. They're both designed to help keep you safe online but there are some key differences between the two that will help you decide which is right for best antivirus software (or the best Mac antivirus software for your Apple computer or the best Android antivirus apps for your Android smartphone) is designed to protect you from malware and other threats before they can infect your devices. By using a database of known threats, your antivirus software is able to scan and flag any potentially harmful files or software. It's worth noting that while paid antivirus software is updated more regularly and comes with plenty of extras like a VPN or a password manager, you likely already have access to built-in antivirus software in the form of Windows Defender on PC, XProtect on Mac and Google Play Protect on Android. Now the best identity theft protection services often come with an antivirus solution but that's not their main purpose. Instead, they're designed to proactively monitor your banking and other online accounts for signs of fraud or suspicious activity. They also keep an eye on your Social Security number and other sensitive personal information. The big difference with identity theft protection is that these services include identity theft insurance to help you recover funds lost to fraud in addition to helping you recover your identity. At the same time, you also get access to experts that can walk you through the process of freezing your credit and dealing with the fallout from identity theft. They can help you get new documents big thing to keep in mind with identity theft protection is that it only works if you sign up before a major security incident takes up for both antivirus software and identity theft protection is the best way to protect yourself and your data online. However, this can get expensive fast. If you're on a tight budget, I'd start with antivirus software first and then sign up for identity theft protection once you have more to lose. One way to make things more affordable is to look for antivirus and identity theft protection providers that offer family plans. That way, you can spread the cost between multiple people and rest easy knowing that your grandparents, parents, aunts, uncles, your children and yourself are all protected. Likewise, you want to stay up to date on the latest online scams and make sure that you share this knowledge with both your older and younger family members. Besides having your personal data and passwords exposed online, you also need to be on the lookout for new or upgraded malware. Case in point, the Godfather malware, which was first spotted back in 2021, recently got an upgrade that makes it even more is a banking malware that targets popular banking and financial apps by using overlay attacks. While you might think you're logging into your banking app once infected, you're actually inputting your username and password onto an overlay that appears over the legitimate app. Hackers study the look and design of popular banking apps to create these overlays which they use to harvest account credentials. With these in hand, they can log into and drain your financial accounts. Now though, the Godfather malware is using a new trick to evade detection and steal money from unsuspecting users. Instead of overlays, the malware is now using virtual versions of legitimate apps to commit fraud in real avoid falling victim to this and other malware strains, you want to avoid sideloading apps, opening attachments or links from unknown senders and it's always a good idea to limit the number of apps on your phone overall as even good apps can go bad when they're injected with malicious code. Though this breach may be the biggest in terms of numbers it has similarities to a few other recent breaches – for example, like three other recent breaches, this latest massive breach includes older data that has been around for a while and repackages it, then leaves it exposed it an open database making it easily accessible for any threat actor to grab. When it's discovered, it is quickly removed which makes it difficult to determine who owned the database and therefore, who was responsible for breaching the collected information. The data leak of AT&T data that we reported about earlier this month is similar and involved more than 86 million records that tied AT&T user data to sensitive personal information like Social Security numbers and birth dates. And again, a day earlier in China, more than 4 billion records were compiled that included everything from WeChat transcripts and phone numbers to gambling history. In May of this year, 184 million passwords from companies like Apple, Google, Microsoft, Instagram, Facebook, Snapchat and more were compiled and stored in a plaintext database. The trend towards larger and larger breaches is clear. At this point it seems inevitable that your passwords and data can, and will, be compromised at some point and it is up to the consumer to protect themselves by using every tool available to protect themselves. When a large number of passwords or a collection of sensitive personal information is exposed online, people often get hung up on whether it's a data breach or a data leak. Here's the difference between the a data breach to occur, hackers or other cybercriminals need to gain unauthorized access to a company or even a government's systems. Once inside, they then steal or exfiltrate as much data as they can with the intention to use this info for blackmail, phishing or other cyberattacks. Now with a data leak, the same types of personal and even financial information from a data breach may be exposed. However, how that data ended up online is the main difference. Data leaks often occur due to human error. For instance, maybe someone forgot to password protect a database and left it open online for anyone to access it. This might sound hard to believe but this happens way more often than you'd way that a data leak can occur is through scraping. Just like marketing firms do, hackers often scrape public databases for personal details and other info. All of this data is then put together in a database and if not secured correctly, it too can leak out onto the open web. Regardless of if you're dealing with a data breach or a data leak, the end result for you as the user is the same. Your information is available online and could be used against you. One way to limit your exposure is by using a data removal tool. There are standalone ones like Incogni or you might find one available as an extra feature with your antivirus software or VPN, like with ExpressVPN's Personal Data Removal this security incident has made you rethink your cyber hygiene, a data removal service is another tool you should add to your security arsenal along with antivirus software and identity theft protection. Now that billions of passwords have been exposed online, hackers and other cybercriminals are probably already thinking about how they'll use this data to their advantage in future attacks. Here are the ways this leaked data will likely be used first:If a password was leaked alongside a username, then hackers are definitely going to try and see if they can use these credentials to log in. They will likely try the account the password is associated with first and then after that, they might try to log into other popular online services. What they're hoping for is that the person this username and password belongs to was foolish enough to reuse the same credentials across multiple online accounts. Password reuse is one of the easiest ways you can set yourself up to get hacked, so if you use the same password on multiple sites and services, stop what you're doing and go create a unique and complex password for each of them. If the leaked username and password work, they'll then take over the account and use it as their own. They could use it in other attacks or even to send out phishing messages to any contacts associated with that account. The next big thing that we'll likely see are targeted phishing attacks. Unlike your standard phishing attack, these ones go after specific people by using public or stolen info to build trust with potential victims. If a hacker impersonates someone you know or claims to know them too, you're more likely to respond to their messages and you could potentially be swayed by their if a username and password combo was leaked for a banking or financial account that contains loads of sensitive personal data, hackers could try to steal your identity. These are all the main potential threats you're going to want to be on the lookout for but there could be more. My advice, keep your head on a swivel and keep tabs on all of your online accounts just to be safe. Likewise, consider investing in identity theft protection for additional peace of mind. CNBC is reporting that Aflac has "identified suspicious activity" in its network. This activity could impact Social Security numbers and other information. 'We continue to serve our customers as we respond to this incident and can underwrite policies, review claims, and otherwise service our customers as usual,' Aflac said in a statement. According to CNBC, the investigation is in its early stages and Aflac does not yet have the total number for potentially affected customers. Impacted information may include claims information, health info, Social Security numbers and other personal information related to everyone from customers andbeneficiaries to employees, agents and "other individuals." The insurance company has said that it will offer free credit monitoring and identity theft protection and Medicaid shield for up to 2 years for anyone that reaches out to its call center. Google will reportedly require you to activate 2-step verification to access your Gmail account. Especially as Gmail was one of the affected databases in the big breach. It's meant to help curb phishing and spam emails that have been on the rise lately. As part of that you should replace your password with a passkey. You can activate 2SV now if you haven't already to get ahead of it. With this massive data breach on the mind, now is as good a time as any to do some security home work. We've put together guide to the seven things you should do now to make sure your accounts and devices are safe. We have more details in the guide but here's a brief rundown what you need to secure. Passwords Browsers Two-factor and Multi-factor authentication Update social media settings Delete, remove and unsubscribe Update software and enable automate updates Check and update settings This record-breaking data breach included URLs, usernames, and, most importantly, passwords, which means you should seriously consider updating yours for Google and Facebook. But creating strong, complex passwords is a tall order, and remembering them is even harder, especially when you should ideally have one for every site you log into. You could try to keep them all in your head if you have Rain Man-level recall. If you don't, why not offload that process by getting a password manager and free up all that precious memory for more important things? Password managers make it easy to securely store all of your passwords in one place, and most will even autofill them into a website or app when you log in. We dive into the best picks for iPhone, Android, privacy, and more in our guide to the best password managers.