MANILA: Three Filipino user accounts were compromised every minute in 2025, according to a new analysis by the cybersecurity company Surfshark.
Over the course of 2025, that steady digital haemorrhage added up to 1.3 million breached accounts, placing the Philippines 25th worldwide.
Globally, 425.7 million user accounts were compromised in 2025, the equivalent of 13.5 accounts every second. The United States accounted for 142.9 million of them, or 34 per cent of the global total, followed by France, India, Germany and Russia.
The breaches in the Philippines were not evenly spread across the year.
The third quarter proved especially punishing, with 477,700 accounts compromised, more than a third of the annual total in just three months.
The figures underscore what cybersecurity experts say is a growing normalisation of data exposure, as digital services permeate daily life, from banking and shopping to education and government transactions.
“Looking back at the data breaches of 2025, one thing is clearer than ever: We must stop treating breaches as singular, explosive events and start seeing them as a permanent feature of our digital environment,” Mr Tomas Stamulis, chief security officer at Surfshark, said in a statement on Feb 11. “They are a constant threat, and your data is likely already exposed.”
While the Philippines recorded fewer total breaches than Indonesia, which had 3.2 million accounts compromised in 2025, the relative risk appears similar.
Both countries saw 11 breached accounts per 1,000 residents in 2025. Indonesia’s larger population accounts for its higher raw numbers, but the breach density suggests Filipinos face comparable exposure.
The longer view is more sobering.
Since 2004, the Philippines has been the second-most affected country in South-east Asia, with 155 million compromised user accounts, according to the analysis.
In total, 57.4 million unique e-mail addresses have been exposed in breaches tied to the country.
Even more alarming to cybersecurity specialists is the scale of password leakage.
An estimated 79.6 million passwords have been exposed alongside Filipino accounts since 2004. Because many users reuse passwords across multiple platforms, a single leak can cascade into account takeovers, identity theft or extortion.
Statistically, the average Filipino has been hit by a data breach at least once – one of the highest rates in South-east Asia, ranking fourth in the region.
Philippine regulators say the more urgent threat may not be shadowy hackers breaching firewalls, but ordinary people being persuaded to open the door themselves.
Data show that deceptive “social engineering” tactics now drive more than three-fourths of all financial fraud in the Philippines.
Tactics such as smishing (fraudulent text messages), phishing (fake e-mails), vishing (voice phishing calls), and so-called love scams exploit user trust to bypass even sophisticated security systems. Together, these accounted for more than 75 per cent of total cyberthreats in 2025, according to the central bank.
By contrast, hacking accounted for 13 per cent of overall fraud losses in 2025, while card-not-present fraud made up 8 per cent.
The vast majority of financial theft, regulators say, was enabled by victims who were manipulated into disclosing one-time passwords, login credentials or other sensitive information.
Robert Paguia, data protection officer at the Cybercrime Investigation and Coordinating Center, told The Straits Times that the simplest way to plug the breaches is for people to just use common sense.
“If you don’t know the number, don’t answer it. If you received links for you to click, don’t click on them. Don’t provide your OTPs (one-time passwords) because banks and other financial institutions will not ask for those,” he said. - The Straits Times/ANN
