Surfshark’s quarterly analysis of global data breaches shows that South Africa ranks as the 42nd most breached country in Q1 2026, with 212 700 leaked accounts.
Globally, a total of 210.3 million accounts were breached, with the US ranking first and amounting to 29% of all breaches from January through March. France takes second place, while India is third, followed by Brazil and the UK.
Since 2004, South Africa has been the second-most hit market in Africa, with 45,7-million compromised user accounts.
A total of 13,3-million unique emails were breached from South Africa. With 22,9-million passwords leaked together with South African accounts, this puts 50% of breached users in danger of account take over that might lead to identity theft, extortion or other cybercrimes.
Statistically, 70 out of 100 South African people has been affected by data breaches.
Since 2004, the password (22,9-million) and the username (12-million) have been the most commonly compromised South African data points in breaches.
The scope of exposed information often extends to highly sensitive personal data, such as Social Security Numbers (78 000), financial data like payment card numbers (69 700), and contact information, such as phone numbers (3,5-million) and addresses (3,1-million).
Globally, the number of breached accounts tripled in Q1 2026 compared to the same period in 2025 and increased by 22% compared to the last quarter of 2025.
An important fact is that, in 2025, 20,2% of companies reported using AI, up from 8,7% in 2023 — meaning adoption has more than doubled over the past two years. Do the figures for recent AI adoption and the increase in data leaks correlate?
According to Tomas Stamulis, chief security officer at Surfshark, as companies rapidly adopt AI, they increase the amount of user data stored, expand the number of digital systems they use, and integrate more platforms to manage larger volumes of user data.
“These AI-driven systems also collect and log more detailed user information for automation, analytics, and model improvement,” he says. “While this improves the company’s efficiency, it also means there are many more systems for businesses to secure, more opportunities for error, and more points where sensitive information such as user credentials and personal data can be exposed.
“As a result, hackers now have a larger and more complex environment to exploit and execute attacks, including data breaches.”
With data breaches becoming a daily risk for companies, Stamulis shares his deepest concerns about businesses forcing users to create accounts and provide personal information to complete an online purchase when there is no clear need for it.
“For people, a data leak means their personal information is forever on the internet. It’s not a one-time threat that disappears after a user changes their compromised email address and password.
“It becomes a constant security risk as hackers reuse leaked data, package it into ‘combo lists’, combine it with new leaks, and resell it repeatedly.
So, even after 10 or 20 years, leaked data is still valuable and can be used against a user to commit fraud, gain access to more data, and steal money,” Stamulis says.
He reminds people of the main habits of personal data hygiene in the age of AI:
- Provide your real data, such as your primary email address, telephone number, home address, and other sensitive personal information, only when there is a critical need, such as filling out official forms;
- In other cases, use an alternative identity or email masking services;
- Avoid providing your data unless necessary.