The Corporate Affairs Commission (CAC) has officially confirmed a cybersecurity incident involving unauthorized access to its digital database, prompting an urgent advisory for millions of registered Nigerian companies to update their login credentials immediately.
In a statement released via its official channels on Wednesday evening and widely circulated today, April 16, 2026, the Commission disclosed that it is currently reviewing a breach that affected "limited aspects" of its information systems. While the CAC maintained that the intrusion was swiftly contained, the scale of the potential exposure has sent ripples of concern across Nigeria’s corporate and financial sectors.
The Nature of the Breach
According to the Commission’s management, the security lapse was detected through internal monitoring protocols, triggering an immediate activation of its incident response mechanisms.
"The Corporate Affairs Commission is currently reviewing a cybersecurity incident involving unauthorized access to limited aspects of its information systems," the statement read. "CAC promptly activated its response protocols and is working with the National Information Technology Development Agency (NITDA), relevant government agencies, and partners to assess the scope and impact."
While the official statement describes the breach as "limited," unverified reports from cybersecurity tracking entities, including the threat-intelligence account Dark Web Informer, suggest the impact could be far more substantial. Some claims allege that a threat actor known as "ByteToBreach" may be behind the attack, with rumors circulating that as many as 25 million documents and records could have been exfiltrated. The CAC has not yet confirmed these figures or the identity of the perpetrators.
Immediate Directives for Users
In light of the vulnerability, the CAC has issued a mandatory advisory to all stakeholders, including business owners, directors, and accredited agents who utilize the CAC portal for registrations and filings.
The Commission has urged users to:
Update Login Credentials: Change passwords immediately and ensure they meet high-security standards (using a mix of symbols, numbers, and cases).
Monitor Company Records: Regularly check the status of registered entities on the CAC portal for any unauthorized changes to directorship, shareholding, or registered addresses.
Exercise Extreme Vigilance: Remain cautious regarding unsolicited communications, emails, or phone calls requesting sensitive business information or payment for "rectifying" account issues.
National Implications and System Integrity
The timing of this breach is particularly sensitive. Just two months ago, in February 2026, the CAC announced a significant digital milestone, reporting that it now processes up to 10,000 business registration requests daily following the integration of advanced Artificial Intelligence (AI) into its service delivery.
The Commission also handles an average of 5,000 inquiries daily, making its digital infrastructure one of the most vital nodes in Nigeria's burgeoning digital economy. Analysts warn that even a minor breach of the national corporate registry could facilitate sophisticated identity theft, corporate impersonation, and fraudulent business transfers, potentially undermining investor confidence.
"The CAC database is the bedrock of corporate trust in Nigeria," said one Lagos-based cybersecurity expert. "If the integrity of these records is questioned, it affects everything from bank loan approvals to international mergers and acquisitions."
Ongoing Investigation and Safeguards
The CAC has assured the public that additional safeguards have already been deployed to strengthen the system against future vulnerabilities. The collaboration with NITDA is expected to produce a forensic report detailing the origin of the attack and the specific nature of the data accessed.
Despite the security scare, the Commission maintains that its services remain operational. It has pledged to provide regular updates as the investigation progresses and has reaffirmed its commitment to maintaining the "integrity and security" of Nigeria's corporate registry.
For now, the burden of security remains a shared responsibility. As the government works to patch technical vulnerabilities, millions of Nigerian entrepreneurs are being forced to navigate the reality of digital risk, one password update at a time.