NZ Herald
  • Home
  • Latest news
  • Herald NOW
  • Video
  • New Zealand
  • Sport
  • World
  • Business
  • Entertainment
  • Podcasts
  • Quizzes
  • Opinion
  • Lifestyle
  • Travel
  • Viva
  • Weather

Subscriptions

  • Herald Premium
  • Viva Premium
  • The Listener
  • BusinessDesk

Sections

  • Latest news
  • New Zealand
    • All New Zealand
    • Crime
    • Politics
    • Education
    • Open Justice
    • Scam Update
  • Herald NOW
  • On The Up
  • World
    • All World
    • Australia
    • Asia
    • UK
    • United States
    • Middle East
    • Europe
    • Pacific
  • Business
    • All Business
    • MarketsSharesCurrencyCommoditiesStock TakesCrypto
    • Markets with Madison
    • Media Insider
    • Business analysis
    • Personal financeKiwiSaverInterest ratesTaxInvestment
    • EconomyInflationGDPOfficial cash rateEmployment
    • Small business
    • Business reportsMood of the BoardroomProject AucklandSustainable business and financeCapital markets reportAgribusiness reportInfrastructure reportDynamic business
    • Deloitte Top 200 Awards
    • CompaniesAged CareAgribusinessAirlinesBanking and financeConstructionEnergyFreight and logisticsHealthcareManufacturingMedia and MarketingRetailTelecommunicationsTourism
  • Opinion
    • All Opinion
    • Analysis
    • Editorials
    • Business analysis
    • Premium opinion
    • Letters to the editor
  • Politics
  • Sport
    • All Sport
    • OlympicsParalympics
    • RugbySuper RugbyNPCAll BlacksBlack FernsRugby sevensSchool rugby
    • CricketBlack CapsWhite Ferns
    • Racing
    • NetballSilver Ferns
    • LeagueWarriorsNRL
    • FootballWellington PhoenixAuckland FCAll WhitesFootball FernsEnglish Premier League
    • GolfNZ Open
    • MotorsportFormula 1
    • Boxing
    • UFC
    • BasketballNBABreakersTall BlacksTall Ferns
    • Tennis
    • Cycling
    • Athletics
    • SailingAmerica's CupSailGP
    • Rowing
  • Lifestyle
    • All Lifestyle
    • Viva - Food, fashion & beauty
    • Society Insider
    • Royals
    • Sex & relationships
    • Food & drinkRecipesRecipe collectionsRestaurant reviewsRestaurant bookings
    • Health & wellbeing
    • Fashion & beauty
    • Pets & animals
    • The Selection - Shop the trendsShop fashionShop beautyShop entertainmentShop giftsShop home & living
    • Milford's Investing Place
  • Entertainment
    • All Entertainment
    • TV
    • MoviesMovie reviews
    • MusicMusic reviews
    • BooksBook reviews
    • Culture
    • ReviewsBook reviewsMovie reviewsMusic reviewsRestaurant reviews
  • Travel
    • All Travel
    • News
    • New ZealandNorthlandAucklandWellingtonCanterburyOtago / QueenstownNelson-TasmanBest NZ beaches
    • International travelAustraliaPacific IslandsEuropeUKUSAAfricaAsia
    • Rail holidays
    • Cruise holidays
    • Ski holidays
    • Luxury travel
    • Adventure travel
  • Kāhu Māori news
  • Environment
    • All Environment
    • Our Green Future
  • Talanoa Pacific news
  • Property
    • All Property
    • Property Insider
    • Interest rates tracker
    • Residential property listings
    • Commercial property listings
  • Health
  • Technology
    • All Technology
    • AI
    • Social media
  • Rural
    • All Rural
    • Dairy farming
    • Sheep & beef farming
    • Horticulture
    • Animal health
    • Rural business
    • Rural life
    • Rural technology
    • Opinion
    • Audio & podcasts
  • Weather forecasts
    • All Weather forecasts
    • Kaitaia
    • Whangārei
    • Dargaville
    • Auckland
    • Thames
    • Tauranga
    • Hamilton
    • Whakatāne
    • Rotorua
    • Tokoroa
    • Te Kuiti
    • Taumaranui
    • Taupō
    • Gisborne
    • New Plymouth
    • Napier
    • Hastings
    • Dannevirke
    • Whanganui
    • Palmerston North
    • Levin
    • Paraparaumu
    • Masterton
    • Wellington
    • Motueka
    • Nelson
    • Blenheim
    • Westport
    • Reefton
    • Kaikōura
    • Greymouth
    • Hokitika
    • Christchurch
    • Ashburton
    • Timaru
    • Wānaka
    • Oamaru
    • Queenstown
    • Dunedin
    • Gore
    • Invercargill
  • Meet the journalists
  • Promotions & competitions
  • OneRoof property listings
  • Driven car news

Puzzles & Quizzes

  • Puzzles
    • All Puzzles
    • Sudoku
    • Code Cracker
    • Crosswords
    • Cryptic crossword
    • Wordsearch
  • Quizzes
    • All Quizzes
    • Morning quiz
    • Afternoon quiz
    • Sports quiz

Regions

  • Northland
    • All Northland
    • Far North
    • Kaitaia
    • Kerikeri
    • Kaikohe
    • Bay of Islands
    • Whangarei
    • Dargaville
    • Kaipara
    • Mangawhai
  • Auckland
  • Waikato
    • All Waikato
    • Hamilton
    • Coromandel & Hauraki
    • Matamata & Piako
    • Cambridge
    • Te Awamutu
    • Tokoroa & South Waikato
    • Taupō & Tūrangi
  • Bay of Plenty
    • All Bay of Plenty
    • Katikati
    • Tauranga
    • Mount Maunganui
    • Pāpāmoa
    • Te Puke
    • Whakatāne
  • Rotorua
  • Hawke's Bay
    • All Hawke's Bay
    • Napier
    • Hastings
    • Havelock North
    • Central Hawke's Bay
    • Wairoa
  • Taranaki
    • All Taranaki
    • Stratford
    • New Plymouth
    • Hāwera
  • Manawatū - Whanganui
    • All Manawatū - Whanganui
    • Whanganui
    • Palmerston North
    • Manawatū
    • Tararua
    • Horowhenua
  • Wellington
    • All Wellington
    • Kapiti
    • Wairarapa
    • Upper Hutt
    • Lower Hutt
  • Nelson & Tasman
    • All Nelson & Tasman
    • Motueka
    • Nelson
    • Tasman
  • Marlborough
  • West Coast
  • Canterbury
    • All Canterbury
    • Kaikōura
    • Christchurch
    • Ashburton
    • Timaru
  • Otago
    • All Otago
    • Oamaru
    • Dunedin
    • Balclutha
    • Alexandra
    • Queenstown
    • Wanaka
  • Southland
    • All Southland
    • Invercargill
    • Gore
    • Stewart Island
  • Gisborne

Media

  • Video
    • All Video
    • NZ news video
    • Herald NOW
    • Business news video
    • Politics news video
    • Sport video
    • World news video
    • Lifestyle video
    • Entertainment video
    • Travel video
    • Markets with Madison
    • Kea Kids news
  • Podcasts
    • All Podcasts
    • The Front Page
    • On the Tiles
    • Ask me Anything
    • The Little Things
  • Cartoons
  • Photo galleries
  • Today's Paper - E-editions
  • Photo sales
  • Classifieds

NZME Network

  • Advertise with NZME
  • OneRoof
  • Driven Car Guide
  • BusinessDesk
  • Newstalk ZB
  • Sunlive
  • ZM
  • The Hits
  • Coast
  • Radio Hauraki
  • The Alternative Commentary Collective
  • Gold
  • Flava
  • iHeart Radio
  • Hokonui
  • Radio Wanaka
  • iHeartCountry New Zealand
  • Restaurant Hub
  • NZME Events

SubscribeSign In
Advertisement
Advertise with NZME.
Home / Business

Hell Pizza hit by ‘credential stuffing’ cyberattack - which provides a lesson for everyone

Chris Keall
By Chris Keall
Technology Editor/Senior Business Writer·NZ Herald·
27 Jul, 2023 01:27 AM4 mins to read

Subscribe to listen

Access to Herald Premium articles require a Premium subscription. Subscribe now to listen.
Already a subscriber?  Sign in here

Listening to articles is free for open-access content—explore other articles or learn more about text-to-speech.
‌

Subscriber benefit

The ability to gift paywall-free articles is a subscriber only benefit. See more offers by clicking the button below.

Already a subscriber?  Sign in here
Save

    Share this article

    Reminder, this is a Premium article and requires a subscription to read.

The attacker was able to log in and access the information of a small minority of customers. Photo / NZME
The attacker was able to log in and access the information of a small minority of customers. Photo / NZME

The attacker was able to log in and access the information of a small minority of customers. Photo / NZME

Hell Pizza has alerted some of its customers that some of their data was stolen in a cyber attack.

Yet none of its cyber defences were breached.

What gives?

The takeaway chain’s systems were hit by what’s called a “credential stuffing attack”.

That’s when hackers take user names and passwords stolen in a successful attack, then try to use those logins to try to access other sites - banking on the fact that many people use the same username and password for many services.

Make it your business to know

Start your day with the latest business headlines straight to your inbox.
Please email me competitions, offers and other updates. You can stop these at any time.
By signing up for this newsletter, you agree to NZME’s Terms of Use and Privacy Policy.
Advertisement
Advertise with NZME.

For example, in 2012, hackers stole hundreds of millions of logins from LinkedIn (many of which are still for sale today on the dark web). If I had used chris.keall@nzherald.co.nz and HireMe1984 as my LinkedIn login, then hackers could have tried their luck using that combo to access other sites.

The process is often automated for efficiency, with many stolen logins tried on a target website at once. And it was just such “stuffing” that Hell detected on July 22.

“The important message we want to get through to the public and our customers is that the Hell system and database remains secure,” Hell chief executive Ben Cummings told the Herald.

Advertisement
Advertise with NZME.

“The attack was not a result of a technical compromise or breach of Hell systems; the attacker used legitimate email addresses and passwords to access customer accounts. We hope that this example can help educate people on the importance of best-practice password security.”

Nevertheless, in a number of instances where people used the same login for Hell as they did for other sites - which had been breached - then they could access a user account.

What was taken

Hell said in an email to affected customers:

“For a small minority of customers, the attacker was able to log in and access that customer’s information. Unfortunately, our analysis shows your account was likely accessed.

“Once the attacker had successfully logged in, they accessed information held on your customer profile. This may include:

“Your name, email address, and phone number. any stored addresses used for deliveries, some details of any stored credit/debit cards, including the cardholder name, expiry, and only parts of the card number, information about recent orders, including what was ordered and how much it cost.

“Please note that, in line with online payment standards, we do not store the full card number for credit/debit cards in our system. This means the full card number and the security code (CVV) were not able to be accessed.”

Read More

  • Eftpos provider Smartpay suffers ransomware attack
  • Cybercrime: Financial losses jump 66% as NZ fails to match Aussie moves
  • Controversial cybersecurity shakeup to go ahead from August, Little says

The Privacy Commissioner and other authorities were alerted. “We’ve been very open about what’s happened,” Cummings said.

Advertisement
Advertise with NZME.

Affected customers will be required to change their password next time they log on - and the strong recommendation is to also change passwords they use for other services.

Although its systems were not breached, Cummings says Hell will review them regardless, with a view to assessing if there are any steps it can take to protect customers who have been careless with password reuse.

Passwords: How the Hell do you wrangle them all?

You need not just a unique password for every site, but a long and strong password. That means at least 15 characters, with at least one number or special character.

The rub, of course, is that you need different long and strong passwords for every website.

One solution suggested by Netsafe and other experts is to use lyrics from a favourite song as a “pass phrase” - if a site allows long, multiword logons, You can use different lines from the same song for different sites, throwing in a few special characters or numbers to mix it up.

You could use a password manager like the highly-rated 1Password or BitWarden - so you only have to remember one login for a virtual vault that generates and stores unique passwords for every site you access.

Google (Chrome), Microsoft (Edge) and Apple (Safari) all have password management built into their web browsers. Just accept suggested passwords, then rely on your browser auto-filling them most of the time - and lumping it and selecting reset password when it doesn’t.

And always take the option for two-factor authentication when it’s offered. That is, a confirmation message sent to your phone by text (or, in some cases, an app on your phone) whenever there’s a login attempt from a new device.

Chris Keall is an Auckland-based member of the Herald’s business team. He joined the Herald in 2018 and is the technology editor and a senior business writer.

Subscriber benefit

The ability to gift paywall-free articles is a subscriber only benefit. See more offers by clicking the button below.

Already a subscriber?  Sign in here
Save

    Share this article

    Reminder, this is a Premium article and requires a subscription to read.

Latest from Business

Premium
Business

Dilworth: Has it done enough to address abuse, and is it a school worth saving?

28 Jun 05:00 PM
Premium
Opinion

Liam Dann: Never mind the swear words, our politicians need to raise the quality of debate

28 Jun 05:00 PM
Premium
Retail

On The Up: How a Kiwi family built a tool empire from $10k and a vision

28 Jun 01:00 AM

Audi offers a sporty spin on city driving with the A3 Sportback and S3 Sportback

sponsored
Advertisement
Advertise with NZME.
Recommended for you
Leigh Hart on how he became 'That Guy', and the one time he crossed the line
Entertainment

Leigh Hart on how he became 'That Guy', and the one time he crossed the line

28 Jun 07:00 PM
5 stunning winter walks to try around New Zealand
Travel

5 stunning winter walks to try around New Zealand

28 Jun 07:00 PM
Pollock shines as Lions win big in Australia tour opener
Rugby

Pollock shines as Lions win big in Australia tour opener

28 Jun 06:20 PM
Staying local? Here’s what’s hot in New Zealand
Travel news

Staying local? Here’s what’s hot in New Zealand

28 Jun 06:00 PM
Takitimu House leader Annamarie Angus steps down after 11 years
Bay of Plenty Times

Takitimu House leader Annamarie Angus steps down after 11 years

28 Jun 06:00 PM

Latest from Business

Premium
Dilworth: Has it done enough to address abuse, and is it a school worth saving?

Dilworth: Has it done enough to address abuse, and is it a school worth saving?

28 Jun 05:00 PM

'Is there still enough good worth preserving?' Dilworth confronts the past and the future.

Premium
Liam Dann: Never mind the swear words, our politicians need to raise the quality of debate

Liam Dann: Never mind the swear words, our politicians need to raise the quality of debate

28 Jun 05:00 PM
Premium
On The Up: How a Kiwi family built a tool empire from $10k and a vision

On The Up: How a Kiwi family built a tool empire from $10k and a vision

28 Jun 01:00 AM
Premium
Inside the new luxury eatery blending Central Otago's history and cuisine

Inside the new luxury eatery blending Central Otago's history and cuisine

27 Jun 11:00 PM
Gold demand soars amid global turmoil
sponsored

Gold demand soars amid global turmoil

NZ Herald
  • About NZ Herald
  • Meet the journalists
  • Newsletters
  • Classifieds
  • Help & support
  • Contact us
  • House rules
  • Privacy Policy
  • Terms of use
  • Competition terms & conditions
  • Our use of AI
Subscriber Services
  • NZ Herald e-editions
  • Daily puzzles & quizzes
  • Manage your digital subscription
  • Manage your print subscription
  • Subscribe to the NZ Herald newspaper
  • Subscribe to Herald Premium
  • Gift a subscription
  • Subscriber FAQs
  • Subscription terms & conditions
  • Promotions and subscriber benefits
NZME Network
  • The New Zealand Herald
  • The Northland Age
  • The Northern Advocate
  • Waikato Herald
  • Bay of Plenty Times
  • Rotorua Daily Post
  • Hawke's Bay Today
  • Whanganui Chronicle
  • Viva
  • NZ Listener
  • Newstalk ZB
  • BusinessDesk
  • OneRoof
  • Driven Car Guide
  • iHeart Radio
  • Restaurant Hub
NZME
  • About NZME
  • NZME careers
  • Advertise with NZME
  • Digital self-service advertising
  • Book your classified ad
  • Photo sales
  • NZME Events
  • © Copyright 2025 NZME Publishing Limited
TOP
search by queryly Advanced Search