Explore a range of common cyber security threats — find out how they work, how to prevent them, and what to do if they happen to you.

Credential dumps

Where the information comes from

The information comes from data breaches of businesses and organisations. Each release could contain information from one source, or from a range of sources.

A data breach is when private and confidential information is released into an unsecured environment. This usually means that the information becomes publicly available. It also means that others can use it for personal gain, or to cause harm to a business or individual.

When the details are published online, it’s not always obvious where the information has come from. The companies involved may not be aware that the information is online.

Data breach

Types of information

The types of credentials varies in each release. They often include email addresses and passwords. They can be used to send spam and phishing emails to, or to access accounts.

Find out if you’re affected

You may not know you’re affected until it’s too late.

Several large/public data breaches have been added to a website called Have I been Pwned? While CERT NZ has no affiliation with this website, and has not verified the data contained there, it is a central repository of data breached in a range of releases. Users can visit the site to see if their email address is included in the list of released details.

Have I been pwned? 

If your information is released

If your email address has been part of a breach, change the password for that account immediately.

Some people make patterns of their passwords, to make them easier to remember. Unfortunately this makes them easy to guess. If you have reused a password on other accounts, or have a password pattern, change the passwords for those other accounts too. If your password for Adobe is Adobe123 and that information was part of a credential dump, attackers will go and try Twitter123 and Facebook123 with your email address.

What to do if your identity is stolen

Ways to protect yourself

  • Use different passwords or passphrases for each account. Use a password manager to help keep them safe.
  • Enable multi-factor authentication on your accounts
  • Fake login pages can be very convincing. Enter the website address directly or search for login pages, instead of following a link. This prevents fraudsters sending you to the wrong place.

Turn on two factor authentication (2FA)

How to create a good password

Report scams and fraud