Thousands Of Leaked NZ Govt And Health Agency Credentials On Dark Web - Study

Thousands of leaked employee credentials from government departments, local banks and healthcare organisations are among more than 150 million compromised records tied to New Zealand accessible on the dark web, according to new research.

The nWebbed NZ Cybersecurity Study, which analysed over 30 billion credentials available for sale on the dark web - a hidden part of the internet used as an illegal marketplace by criminals, has revealed an alarming level of vulnerability among Kiwi businesses, with compromised credentials linked to more than 198,000 New Zealand companies and entities.

In addition, the usernames and passwords of more than 18,000 NZ Government workers, 3,200 banking staff and 2,000 healthcare organisation accounts with privileged access to sensitive information were also found in leaked databases on the dark web. The study analysed global breach records and cross-referenced them with local email domains to identify exposure.

Julian Wendt, founder of Kiwi tech start-up nWebbed Intelligence, which has built the world’s fastest-growing database of dark web credentials, says the findings show New Zealand organisations are underestimating the scale and frequency of cyber risk.

He says an urgent review of cybersecurity protocols, credential management systems and third-party access controls across the country’s sensitive institutions and corporations is needed to secure exposed systems and protect the privacy of consumers whose personal data is at risk.

“We are seeing widespread exposure of compromised credentials linked to core parts of the New Zealand economy, including health providers, government agencies, banks and large-scale businesses.

“These are trusted institutions that Kiwis interact with every day, and they are real emails and passwords sitting in the wild. They’re searchable, for sale and vulnerable to exploitation,” he says.

Wendt says many breaches are going undetected for months or even years, and the data is still circulating.

“It’s not that someone was hacked once and that’s it. In many cases, credentials from five or six separate breaches are still sitting out there, waiting to be exploited,” he says.

Wendt says New Zealand urgently needs to shift away from reactive cybersecurity practices. “You can't wait for the ransom note to start caring about where your data ends up. We need a preventative model, and that starts with visibility.

“Most organisations are watching their perimeter, not what’s already leaked. But if your staff credentials are out there, especially admin or technical roles, then attackers already have the keys,” he says.

Wendt says their database is growing by 2 billion credentials each month as the global rate of breaches accelerates.

He says in response to the volume of sensitive credentials available online, nWebbed has launched a new threat monitoring platform that uses artificial intelligence to help organisations close critical security gaps in real time, enabling businesses to act before data is weaponised.

Wendt says the time between a data leak and active exploitation is narrowing, particularly for high-value targets.

“In some cases, we’ve seen attackers move within minutes of credentials appearing online. They’re using automated tools to scan for executive logins, technical roles or access to critical systems.

“What starts as a single leaked password can escalate into a live intrusion before an organisation even realises there’s been a breach,” he says.

Wendt says part of the problem is cultural. “There’s still this assumption in New Zealand that cybercrime is something that happens to big overseas companies. But in reality, our companies are being targeted every day, often because we’re seen as a soft entry point into larger international networks.

“Nearly half of the Fortune 500 companies worldwide have exposed employee credentials available online, and Kiwi companies are facing similar threats. Compromised credentials can be used to access corporate networks, bypass multi-factor authentication or launch phishing attacks,” he says.

Wendt says too many companies rely on outdated risk assessments and miss critical external vulnerabilities.

“Even organisations with good internal cybersecurity practices are often shocked to discover what’s floating around publicly. That includes old passwords, unpatched web portals or documents they thought were private. It’s not about blaming anyone, it’s about visibility,” he says.

Wendt says the next step is to raise awareness and get more Kiwi companies treating external digital hygiene as seriously as they do internal firewalls.

“Most breaches happen because someone didn’t know their login details were already out there. This is a solvable problem if you’re willing to look,” he says.

© Scoop Media