Exclusive: Personal data of over 840,000 customers allegedly leaked on loan app, iCredit

“We don’t know of any data leak from the company,” Bunmi (name changed), who picked up the call when Technext dialled customer care, responded. His tone was firm and unwavering. He insisted that BestFin would not intentionally leak the data of its customers. “We take privacy very seriously,” he added.

When Technext suggested that the breach might have been external—perhaps a hacker or poor security—Bunmi still pushed back, saying he did not think anyone could do that. It was almost as if the possibility of a data breach was an idea that had never crossed his mind.

Before this conversation, we had another call with BestFin’s customer care line. After introductions, the response received was almost shocking. The person on the other end laughed softly before whispers were heard in the background. The journalist was asked to repeat sentences multiple times.

It seemed like they were passing the phone around or were simply unprepared to handle such a question. You could hear faint giggling in the background. What should have been a serious inquiry about a serious breach was treated with indifference—and perhaps even amusement.

This interaction speaks to a deeper issue with BestFin’s internal culture. If the people responsible for answering customer queries cannot take a data breach seriously, it’s hard to imagine that the company’s leadership is treating it with the urgency it deserves.

For a company handling sensitive personal data, this response was alarming. It suggests a lack of professionalism at best—and at worst, a disregard for the customers who trusted them..

The massive data leak from BestFin and how it was found

Disclosure timeline  

July 2, 2024: Leak discovered. 

July 4, 2024: Initial disclosure email sent, multiple follow-up emails followed. 

August 26, 2024: Access to the data was closed. 

On July 2nd, 2024, the Cybernews research team discovered something unexpected—an open MongoDB database linked to BestFin Nigeria, a financial technology company that operates the popular icredit loan app.

The database was over 300GB in size, left completely exposed to the public internet. Anyone with minimal technical know-how could have accessed it. And inside, the data of 846,000 people sat unprotected.

The sheer volume of data in this leak was staggering. It wasn’t just the basics, like names or phone numbers, that had been exposed. The data included detailed personal information, emergency contact lists, private SMS conversations, and even banking-related details. Some of this data, like one’s Bank Verification Number (BVN), could be used to unlock bank accounts or steal someone’s identity.

According to a screenshot of the leaked database (above) provided by Cybernews, the data includes:

• _id: A unique identifier for the record.
• accountId: Likely an internal identifier for the loan application.
• birthday: The applicant’s birthdate.
• BVN: Bank Verification Number (BVN), a unique identification number for Nigerian citizens.
• bvnChecked: Indicates if the BVN has been verified.
• companyName: The name of the company applying for the loan.
• contact1, contact2, contact3, contact4: Details of the applicant’s emergency contacts, including names, mobile numbers, and relationships.
• ctime, utime: Timestamps indicating the creation and update times of the record.
• education: Possibly an indicator of the applicant’s educational level.
• email: The applicant’s email address.
• firstName, lastName, middleName: The applicant’s full name.
• gender: The applicant’s gender.
• has Outstanding Loan: Indicates if the applicant has any existing loans.
• homeAddress, homeArea, homeState: The applicant’s home address details.
• marital: The applicant’s marital status.
• mobile: The applicant’s mobile phone number.
• result: A numerical value possibly representing the loan application’s status or outcome.
• salary: The applicant’s monthly salary.
• storeTime: A timestamp related to the data storage process.
• work: Possibly an indicator of the applicant’s employment status.

And then there was the SMS data—something that should have never been stored in the first place.

The iCredit app collected and saved every text message that users received, including:

• Personal chats unrelated to their loans.
• OTP codes from banking apps,
• Conversations with family members, and even
• Temporary passwords for services entirely disconnected from finance were all sitting in this database, waiting for anyone to see.

The Cybernews Research team expressed shock upon stumbling on this treasure trove of sensitive information. They had found numerous leaks before, but few with data collection practices this invasive. BestFin wasn’t just tracking whether people could repay loans—it seemed they wanted to know everything about their users.

The Cybernews Research team monitors and checks various sources for metadata already leaked to research and provides findings.

According to the company, “We constantly monitor public-facing IP addresses and “Internet of Things” search engines. We also employ our know-how to hunt down insecure instances. We do not conduct, approve, or encourage any black/grey hat hacking or illegal activities. We work diligently to find our information legally, using everyday tools and investigative techniques.“

A closer look at invasive practices

Digital loan apps have become popular in Nigeria for their quick turnaround times and easy access to funds. BestFin’s iCredit app is no exception. But speed, in this case, came at a heavy cost: privacy. Many customers probably didn’t realise just how much of their data they were handing over.

Here’s what BestFin collects from its customers:

• Personal data: Names, genders, phone numbers, email addresses, home addresses, date of birth, salary ranges, and marital statuses.
• Emergency contacts: Not just a single name and phone number, but full access to users’ entire contact lists.
• Device information: Details like the IMEI (the unique identifier for mobile devices), phone models, and IP addresses.
• All SMS messages: This included personal messages, OTP codes, and even temporary passwords for financial and non-financial accounts.

Some users might think these details are necessary for loan eligibility checks, but this goes far beyond what is required.

Nigeria’s Data Privacy Regulations are clear—companies cannot access or store this kind of sensitive data without explicit consent. The collection of personal SMS messages, in particular, violates the most basic principles of user privacy.

Why would a loan app need access to someone’s private conversations? What justification could they have for storing unrelated OTP codes or chats between friends? BestFin’s data practices seem to have gone beyond loan assessment into a realm of data hoarding.

Consequences of the leak

For the 846,000 customers affected, the exposure of their data was a ticking time bomb. Phishing attacks, identity theft, and online fraud are all potential threats that now loom large over them. With access to people’s BVNs and SMS OTPs, cybercriminals could easily breach bank accounts, steal funds, or assume new identities using the victims’ information.

And the SMS data? It’s even worse than it seems. OTP codes, or one-time passwords, are commonly used to log in to accounts or confirm financial transactions. By having access to these codes, an attacker could bypass security systems and take over accounts.

Even temporary passwords for social media or email accounts were saved in BestFin’s database, meaning attackers could potentially break into almost every aspect of a user’s digital life.

It’s not just about money. There’s a deeper violation here—the violation of trust. When users sign up for a loan app, they expect a degree of privacy. They might agree to share certain data for credit scoring, but they don’t expect to hand over the keys to their entire digital existence.

Loan apps and harassment: Shady recovery practices exposed

Digital lenders in Nigeria have been under fire for their aggressive debt recovery tactics for years. BestFin’s data leak shines a new light on how bad things can get.

Among the leaked SMS messages, Cybernews researchers found evidence of harassment, blackmail, and public shaming. In one case, threatening messages were sent to a customer who was late on payments. These aren’t polite reminders to repay loans; they were outright threats.

Some messages accused borrowers of being irresponsible, heartless, or even dishonest.

But we’ve experienced worse. Some apps take their harassment further by contacting emergency numbers listed in customers’ profiles. This practice, known as “name and shame,” involves texting or calling friends and family members to inform them that their loved one has defaulted on a loan. The goal? To publicly embarrass the borrower into paying up.

One message went as far as calling a customer “a heartless human being” for failing to repay a loan on time.

This tactic is unethical and illegal under Nigeria’s existing regulations. The Federal Competition and Consumer Protection Commission (FCCPC) had previously taken action against loan apps that engaged in such practices, but the data leak shows that these methods are still very much alive.

BestFin may not be the only company engaging in these tactics, but the leak proves that the use of intimidation and harassment is widespread in the Nigerian fintech industry.

A security breach within a breach

As if things couldn’t get worse, the Cybernews research team also found evidence that cybercriminals had taken notice of the exposed database. Within the data dump was a ransom note from hackers demanding payment of 0.01 bitcoin (about $640) in exchange for recovering the database.

This suggests that not only was BestFin’s database exposed for months, but it was also potentially manipulated by attackers.

Ransomware attacks like this are becoming increasingly common, especially with companies with poor security practices. While BestFin’s system remained exposed, anyone could have accessed it, stolen data, or even encrypted it to demand a ransom. The ransom note left by the hackers indicates that the database was no longer entirely in BestFin’s control—a chilling realisation for the customers affected.

It’s hard to say how much damage this breach has caused, or if cybercriminals managed to sell the data before the database was secured. The fact that it remained open for nearly two months only raises more questions about BestFin’s internal security protocols. Why didn’t the company notice the breach at all? And how could they leave their customers so vulnerable?

BestFin’s silence speaks volumes

Since Cybernews first reported the leak, BestFin has been notably silent. Their customer care representatives continue to insist that no breach has occurred, despite obvious evidence.

 “I am putting it clear that there was no data leak,” Bunmi from BestFin insists.  

So far, BestFin has offered nothing—no apology, no official statement, and no signs that they are addressing the issue.

What does the future hold for BestFin’s customers?

For the victims of this breach, the future is uncertain. While the database may now be closed, the stolen data will continue to circulate on the internet. Phishing scams, identity theft, and financial fraud are all possibilities that customers will have to guard against.

The Nigerian government has promised to strengthen its data protection laws, but, the damage has already been done. BestFin’s customers will likely face the consequences of this breach for years.

Who will hold BestFin accountable for this catastrophic failure?

For Bunmi, the BestFin representative who assured me that the company did not know about a leak, it may be difficult to realise the extent of the damage. But for the 846,000 affected customers, the fallout from this breach will likely be far more personal.