Hibiscus Coast App

Thousands of NZ Credentials Leaked

Hibiscus Coast App

Staff Reporter

06 August 2025, 1:03 AM

Thousands of NZ Credentials LeakedHealth, banks, government staff data exposed online.

Thousands of leaked email logins tied to New Zealand’s government, banks and health providers have turned up for sale on the dark web, according to a new cybersecurity study.


The nWebbed NZ Cybersecurity Study found more than 150 million compromised credentials linked to New Zealand, with over 198,000 local organisations affected.





That includes more than 18,000 government workers, 3,200 banking staff and 2,000 privileged healthcare accounts.


Julian Wendt, founder of Kiwi tech start-up nWebbed Intelligence, says many organisations are unaware their data has already been leaked.


“These are real emails and passwords, sitting in the wild. They’re searchable, for sale and vulnerable to exploitation,” says Wendt.


The dark web is often used by cybercriminals to trade stolen information.


Wendt says many breaches remain undetected for months or even years, with some staff credentials exposed in multiple leaks.


Julian Wendt, founder of nWebbed Intelligence. Photo: supplied.


The study highlights the urgent need for better visibility, not just perimeter defence.


“Even businesses with good internal practices are often shocked to see what’s already out there. This is about knowing where your data lives, not blaming anyone,” says Wendt.


Locally, the story hits close to home.


Coasties rely on the same government services, health providers and banks now shown to have compromised credentials.


If your email ends in a .govt.nz, or belongs to a large provider, it might already be circulating online.


nWebbed has launched a real-time threat monitoring platform using AI to help organisations act fast and close security gaps before they’re exploited.





How to Check if You’ve Been Exposed


Here’s a quick checklist to help you stay safe:


  1. Check your email at haveibeenpwned.com
  2. Search all personal and work email addresses
  3. Use a breach monitoring tool (e.g. Firefox Monitor, 1Password, or nWebbed)
  4. Change any leaked passwords immediately
  5. Don’t reuse passwords—make each one unique
  6. Enable two-factor authentication (2FA)
  7. Watch for suspicious logins or activity
  8. Use a password manager to stay on top of it all



Seen something local we should cover?

Let us know at [email protected]