Remita Starts API Key Resets After Alleged KYC Data Leak

In Short

• Remita instructed partners to regenerate API credentials and whitelist IP addresses.
• The move followed online reports of an alleged breach linked to Remita’s cloud infrastructure.
• Reported exposed data includes KYC files like passports and NINs, plus other sensitive assets.

What Happened

Nigeria’s payment platform Remita has started API key resets and asked partners to urgently regenerate their API credentials. An API key is a secret code that lets one software system talk to another, like a door access card for a developer integration.

Partners were also told to whitelist their IP addresses. IP whitelisting means only approved network addresses can connect to Remita’s systems, like allowing entry only from a list of known office locations.

The instruction came after reports of an alleged data breach. According to Peoples Gazette, the alleged exposure could involve at least three terabytes of data, including passports, National Identification Numbers, bank statements, and other Know Your Customer information. KYC is the identity checks financial firms collect to verify users.

Peoples Gazette said Remita’s message to customers did not mention a hack. Instead, it referred to “some hitches” between Remita’s environment and partner systems, and linked the disruption to “ongoing efforts” to improve efficiency and service delivery.

Separate posts referenced claims that the breach was tied to an Amazon cloud server and that a threat actor may have accessed databases, source code, password hashes, and government Hardware Security Module secrets. An HSM is a specialised device for storing and using encryption keys, which are critical for securing financial and government transactions.

Why It Matters

Remita is widely used for salary payments and collections across parts of Nigeria’s public and private sectors. If KYC documents were exposed, affected users could face higher risk of identity fraud, account takeovers, and targeted scams.

For businesses integrated via APIs, key rotation and tighter network controls can reduce immediate risk. But it can also cause downtime and failed transactions if partners do not update credentials quickly.

The incident also adds pressure on Nigerian fintech and payment infrastructure providers to improve breach detection, disclosure clarity, and third-party security practices across cloud environments.