Have I Been Pwned added 124 million stolen passwords and 56 million email addresses to its breach database on June 15 from malware-infected devices. For New Zealand, the update is less a distant security headline and more a continuation of a domestic problem that the National Cyber Security Center (NCSC) scrambled to contain at the end of last year.
In December 2025, the NCSC contacted around 26,000 New Zealanders after identifying devices infected with Lumma Stealer, a Windows-targeting malware built specifically to harvest passwords, browser data, and banking credentials.
It was the largest public outreach the agency had ever conducted. NCSC Chief Operating Officer Michael Jagusch described the malware’s reach specifically, saying, “This is the first time that we have conducted such a large-scale public outreach.”
Some of the passwords stolen in that campaign were linked to government agency systems and bank accounts. The Have I Been Pwned update illustrates where credentials like those can end up. When they are not being compiled into logs, they are traded on dark web marketplaces and eventually indexed in breach databases that anyone can query.
The financial cost of password-driven attacks
Infostealer malware does not target a company’s database. It runs on individual devices and captures passwords from browsers, email clients, and applications — in plain text.
The NCSC specifically flagged the following account types as high-priority targets in its Lumma Stealer guidance: RealMe, myIR, MyMSD, online banking accounts, and email. Each carries a different financial exposure.
A compromised myIR account gives an attacker access to tax filings and refund details. A breached online banking login can enable unauthorized transfers. A stolen RealMe credential, which functions as a digital identity across multiple government services, can expose everything linked to it.
The financial stakes are not theoretical. The NCSC’s Cyber Threat Report 2025 recorded $26.9 million in direct financial losses reported to the agency in 2024–25, up from $21.6 million the previous year. Business email compromise, which is frequently fuelled by stolen credentials, drove a significant share of those losses.
Must-read security coverage
- UK Police Convicts Pair in £5.5 Billion Bitcoin Launder Case
- Blackpoint Cyber vs. Arctic Wolf: Which MDR Solution is Right for You?
- How GitHub Is Securing the Software Supply Chain
- 8 Best Enterprise Password Managers
Cheap to deploy, hard to spot
Part of what makes this category of malware dangerous is its accessibility. Lumma Stealer is sold as a commercial service on dark web forums, with pricing starting at around US$250. Buyers receive a management panel to configure the malware, track infections, and download stolen credential logs. Self-technical skill becomes an optionality reserved for advanced needs. In a statement to Nine to Noon, Jagusch noted this shift, saying that “there has been a real commercialization of the cybercrime industry.”
Victims typically have no indication that their device is compromised. The malware runs silently, compresses stolen data into a log file, transmits it, and in some variants deletes the local copy to evade detection. The first sign of infection is often an unexpected account lockout, an unfamiliar transaction, or a surge of spam across linked accounts.
For businesses, the risk extends beyond individual staff. If an employee’s device is infected and browser-saved credentials include corporate email, VPN access, or cloud platform logins, a single home infection can serve as an entry point to a company’s internal systems.
How to check and what to do now
Have I Been Pwned provides two free checks. At haveibeenpwned.com/passwords, users can enter any password they currently use to see whether it appears in a known breach dataset. At haveibeenpwned.com, an email address check returns a list of every breach in which that address has appeared, including the June 15 infostealer dataset.
For anyone who received the NCSC’s December warning email — or who suspects that their device may have been compromised — the agency’s guidance through its Own Your Online campaign recommends the following steps:
- Run Windows Defender or a reputable antivirus tool to scan for and remove active malware.
- Change passwords for every account accessed on the affected device, starting with email, online banking, myIR, MyMSD, and RealMe.
- Reset two-factor authentication where it is in place, as some infostealer variants can capture data from authentication apps alongside passwords.
- Review recent login activity for financial, government, and email accounts for any access that cannot be accounted for.
- Reach out to an IT expert for a professional examination of your device.