At least nine Kiwi websites have been caught up in one of the biggest password security breaches of all-time.
A massive 87GB file containing more than 770 million email addresses and passwords has appeared online, and was briefly available for download from New Zealand's own Mega cloud storage site, Wired reports.
The file, named 'Collection #1', contains private data that appears to have come from more than 2000 different websites.
"It just looks like a completely random collection of sites purely to maximize the number of credentials available to hackers - there's no obvious patterns, just maximum exposure," security researcher Troy Hunt told the magazine.
Mr Hunt runs the website Have I Been Pwned?, which lets people search a database of known breaches to see if any of their email addresses and passwords have been compromised.
He said at least 140 million email accounts - and their passwords - in Collection #1 are new to his database, meaning they've never shown up online before.
Wired says Collection #1 ranks as the third-biggest data breach of all-time, behind two incidents involving Yahoo which saw more than 1 billion users' login details leaked. Others have reported Collection #1 as being the biggest ever, even though much of its content is not new.
Kiwi websites caught up in the latest breach are:
- equestrianentries.co.nz
- millenniumcareers.co.nz
- kiwipainting.co.nz
- oldship2u.co.nz
- shiftme.co.nz
- socialise.co.nz
- taurangaknitting.co.nz
- www.bloomsonline.co.nz
Millenium Hotels and Resorts and oldship2u.co.nz didn't immediately respond to Newshub's request for comment.
Equestrian Entries told Newshub they didn't need our assistance, and declined to comment further.
The owner of the Tauranga Knitting Centre wasn't aware of the breach, and said she would look into it.
Newshub could not reach Shift Me, maori.org.nz or Blooms Online. The other sites don't appear to be active at present.
The good news
Much of the data in Collection #1 has been leaked before - for example, it contains emails and passwords leaked from MySpace a decade ago and data from a LinkedIn breach from 2016.
Another silver lining is Collection #1 doesn't contain any credit card numbers. But as people often use the same password on multiple sites, having access to a password from one site often makes it possible for criminals to access others.
- Spark resets thousands of customer passwords
- Taranaki high school shuts down computer system after hack
- Cryptocurrency hack: Cryptopia could be held liable
"People take lists like these that contain our email addresses and passwords then they attempt to see where else they work," Mr Hunt wrote on his website.
He recommends using a password manager, which generates difficult-to-crack combinations of letters and numbers, and stores them in an encrypted state.
"If you're in this breach and not already using a dedicated password manager, the best thing you can do right now is go out and get one. I did that many years ago now... the only secure password is the one you can't remember."
Mega, where Collection #1 was uploaded, was started by former MegaUpload boss Kim Dotcom in 2013. He left the company in 2015, claiming the site was now in control of the New Zealand Government.
Newshub.