New Zealand logins and passwords have been found for sale on the dark web. Image / Herald Network graphic
A cyber security start-up says it has found active logons – including passwords – for sale on the dark web for staff at New Zealand Government agencies, local healthcare providers and one of the big four banks.
The firm, nWebbed, says its “NZ Cybersecurity Study” analysed 30 billion credentials for sale on the dark web, found more than 198,000 compromised credentials linked to New Zealand organisations and companies.
According to its founder, Julian Wendt, these include:
Some of the healthcare logins had been used as recently as last month, Wendt said. A major bank logon had been used in May.
Wendt would not name those affected for security reasons, but said he had shared his findings with the healthcare providers and others affected by apparent active account breaches.
He had also informed the Office of the Privacy Commissioner (OPC) and the GCSB’s National Cyber Security Centre (NCSC) about his investigation, he said. A spokeswoman for the OPC said, “To date, OPC have not had any discussions on this issue.” NCSC had no immediate comment.
Hackers gaining access to a healthcare staffer’s login didn’t necessarily mean security holes in a hospital’s network or a successful “phishing” attack (when a hacker pretends to be a legitimate service).
It could be that the staff member used their work email address – and their work password – when they created an account with another site, which was then compromised.
The Herald sighted a list of logins and passwords (the latter obscured by Wendt) used by employees of a private company (not in banking or healthcare).
Some of the logins were 10 or more years old, and all had been used to set up accounts with third-party sites rather than being active logins for their company’s own systems.
The company concerned forced its users to constantly change its passwords, with logins also subject to multi-factor authentication in the form of confirmation messages sent to a user’s cellphone.
However, Wendt said he has seen credentials for sale on the dark web within minutes of an attack and that multi-factor authentication could be circumvented if a hacker had even brief access to a network.
“Most organisations are watching the perimeter, not what’s already leaked,” he said.
Credentials and documents from previous breaches were often sitting on the dark web without an organisation realising.
Wendt says he’s found some Kiwis’ credentials sloshing around on the dark web for free.
He says hackers often display a limited number of users’ credentials (including logon names and full passwords) as a free taster for a full stolen list. At other times, they simply display them to brag.
And when a username and password is tied to, for example, a specific bank account with a known balance, it can attract a premium price (see list below).
However, most of the 198,000 compromised credentials that Wendt found came within bulk lots, available at low cost.
He showed the Herald one post where a seller was providing free access to 900,000 credentials as a taster for a collection of 200 million – available for a one-off cost of US$2000 ($3390) or a via a monthly subscription to the seller’s “collection” for US$200 for your first month then US$100 per month.
A June 2025 study by multinational credit reporting company Experian found the following prices for individual credentials on the dark web (its US dollar finds are converted to rounded NZ dollars):
A separate study by managed network and security provider Crowdstrike said typical dark web prices also included:
Wendt borrowed a Star Wars phrase to describe the dark web as a “wretched hive of scum and villainy”.
More specifically, he said it is “an area of the internet that requires special software to access”.
“It’s not indexed by search engines by Google; you have to know where you want to go before you start – some ‘surface’ websites help with that.”
Once you make it to one dark web site, it often grants access to others.
Wendt says his earlier career has included working for Hackers Without Borders, a volunteer group that has helped the Red Cross and other non-profits close vulnerabilities in their tech systems.
He says he set up the (now six-person) nWebbed in mid-2023 out of “frustration” that there was no middle ground between basic free services for tracking if your credentials were on the dark web, such has as the New York Times-namechecked HaveIBeenPwned, and corporate services that cost hundreds of thousands of dollars.
Wendt says his firm has used AI and machine learning in its analysis and stalking of dark web cyber-crime platforms.
He adds, “I’ve been in this game for well over a decade, so have access to some of the channels where cybercriminals often share their loot quite freely.”
This far into the cyber-security crisis, most people are aware of the usual tips, which include:
Wendt says his number one security tip is to use a “pass phrase” as your password for a site.
“It could be a line you’ll be able to remember because it’s from one of your favourite songs, books, or movies,” he says.
A number of security experts have recommended using a pass phrase in security tips they’ve supplied to the Herald.
For Wendt, it’s his absolute number one tip for defeating hackers’ automated systems.
“It’s length that makes the difference, more than complexity,” he says.
In his view, forcing staff or customers to constantly change passwords can have its drawbacks. Some would get fed up and use a guessable password and only make a minor tweak each time, such as changing a number on the end.
Chris Keall is an Auckland-based member of the Herald’s business team. He joined the Herald in 2018 and is the technology editor and a senior business writer.