New Zealand Government and Healthcare Logins Found for Sale on Dark Web – Security Expert Warns of Growing Threat

August 5, 2025 — A cybersecurity startup, nWebbed, has revealed that logins and passwords for staff at New Zealand Government agencies, healthcare providers, and one of the country's major banks are being sold on the dark web. The discovery, highlighted in the firm’s NZ Cybersecurity Study, has sparked urgent concerns about the vulnerability of critical sectors to cyber threats.

Dark Web Breach Exposes Thousands of Compromised Credentials

nWebbed’s analysis of 30 billion credentials available for sale on the dark web uncovered over 198,000 compromised credentials linked to New Zealand organizations. These include:

• Over 18,000 logins for government workers
• 3,200 banking staff accounts
• 2,000 healthcare workers with privileged access

Some of these credentials were recently used, with healthcare logins reportedly accessed as recently as last month and a bank login used in May. The founder of nWebbed, Julian Wendt, has shared these findings with affected organizations, the Office of the Privacy Commissioner, and the Privacy Commissioner.

How Do Stolen Credentials End Up on the Dark Web?

According to Wendt, hackers often display a limited number of stolen credentials for free as a sample of a larger collection. This is done either to entice buyers with a taster or to boast about their cybercrime exploits. However, when credentials are tied to high-value accounts, such as those with significant balances, they can be sold at a premium.

Wendt noted that bulk lots of credentials are often available at low costs. One example he provided shows a seller offering free access to 900,000 credentials as a sample of a 200 million credential collection, available for a one-time payment of $3,390 or a monthly subscription of $100 after the first month.

What Can You Buy on the Dark Web?

A 2025 study by Experian found the following prices for individual credentials on the dark web (converted to New Zealand dollars):

• Hacked Gmail account: $8
• Hacked social media account: $33 to $42
• Passport: $83
• Driver’s licence: $250
• Crypto account details: $33 to $4,410

Another study by Crowdstrike found that stolen bank logins with at least $2,000 in accounts could be purchased for $60, while stolen credit card details with balances up to $5,000 could be bought for $125.

What Is the Dark Web?

Wendt described the dark web as a “wretched hive of scum and villainy,” an area of the internet that requires special software to access. Unlike the surface web, it is not indexed by search engines like Google, and users must know specific URLs to navigate it. Once on one site, users often gain access to others.

Security Recommendations from the Expert

Julian Wendt emphasized that using a pass phrase rather than a traditional password is the best defense against automated hacking systems. A pass phrase could be a line from a favorite song, book, or movie, which is easier to remember but significantly harder for hackers to crack due to its length.

Other key recommendations include:

• Using a unique password for every service
• Enabling multifactor authentication (MFA) where possible
• Avoiding public Wi-Fi for sensitive transactions
• Using a password manager to generate and store strong passwords

Wendt also warned against forcing users to change passwords frequently, as this can lead to frustration and the use of weaker passwords with minor variations.

Conclusion

The discovery of government and healthcare credentials on the dark web underscores the urgent need for organizations to reassess their cybersecurity strategies. As cyber threats continue to evolve, the use of pass phrases, MFA, and regular security audits will be critical in protecting sensitive data and preventing breaches.