New Zealand - Crypto users across New Zealand have fallen victim to credential exploits tied to the Mother of All Breaches, a compilation of 26 billion records from thousands of earlier data leaks that has been expanded by further large-scale dumps.
The 12-terabyte dataset and its successors have flooded the internet with exposed emails, usernames and passwords. This has powered credential-stuffing attacks on custodial exchanges and payment services operating in New Zealand, resulting in confirmed losses for some Kiwi users in 2026.
This wave of incidents places user responsibility and platform responses at the centre of the country’s maturing custodial crypto market.
With hundreds of thousands of Kiwis now holding or trading digital assets, the breaches expose the persistent gap between global credential exposure and everyday security habits on local platforms.
Providers are tightening controls, yet the cases make clear that individual practices - 2FA and eliminating password reuse - remain the decisive layer of defense.
Users without 2FA a risk to themselves
One affected Kiwi user, who asked to remain anonymous, admitted he had not enabled 2FA on his custodial account despite using it for other financial services.
“Critically I did not have 2FA enabled, which is stupid as I have it for everything else financial / sensitive information wise,” he told Cryptocurrency NZ.
“Pretty annoying but what can you do.”
Kiwi crypto users have seen credentials from unrelated third-party breaches reused across platforms.
In New Zealand, custodial services have confirmed unauthorised access tied directly to these external exposures.
Providers, including Pay It Now, report that the incidents involved no breach of their own systems and instead originated from password reuse or earlier compromises elsewhere.
Pay It Now identified 10 such accounts out of more than 60,000 registered users.
The Christchurch company said the pattern matched broader industry experience with opportunistic attacks on reused credentials.
AI tooling make attacks easier and more efficient
The economics of credential stuffing have also shifted.
AI-assisted tooling now automates what once required meaningful technical skill - crawling breach databases, cross-referencing email and password pairs against target platforms, prioritizing high-value accounts by activity signals, and rotating through proxies to evade detection.
Attack pipelines that previously took hours to configure can now be templated and re-run across dozens of services in minutes.
The barrier to entry has dropped to the point where opportunistic exploitation - not sophisticated hacking - is the dominant threat model.
Credential databases remain freely accessible or cheaply traded on darknet markets, and the supply side shows no sign of tightening.
Users can check their own exposure by visiting haveibeenpwned.com.
Platforms respond with stronger controls
Pay It Now co-founder and director Craig Duffield described the activity as part of a broader digital security challenge.
“What we’ve observed is consistent with a wider issue across digital platforms, where user credentials are exposed through third party data breaches, password reuse, or weaker personal security practices,” Duffield stated.
“This is not unique to crypto and applies to any service that relies on email and password authentication.”
The Christchurch-based service made 2FA mandatory for all accounts, added SMS verification, introduced password lockouts after multiple failed attempts, and expanded transaction monitoring with risk-based controls and manual reviews. It engaged a forensic blockchain analysis provider to trace affected funds and began proactive outreach to customers on higher-risk activity.
Duffield said these steps went beyond standard measures.
“Security is something we take seriously, and we do not want to see customers, on any platform, lose funds due to preventable issues.”
Binance New Zealand reported no confirmed cases in 2026 of fund losses directly tied to the large-scale credential compilations. A Binance spokesperson said credential theft, phishing and password reuse remain industry-wide risks.
“Users are at the heart of everything we do, and safety is fundamental to building trust in the digital asset ecosystem,” the spokesperson said. Binance continues to invest in multi-factor authentication, real-time risk monitoring and user education, while maintaining its Secure Asset Fund for Users as an additional protection layer.
Swyftx, another major custodial platform active in New Zealand, strongly encourages users to enable 2FA but does not currently make it mandatory.
The exchange promotes authenticator apps such as Google Authenticator, Microsoft Authenticator and Authy, along with biometric login and breached-password detection.
Lessons for New Zealand’s users
The pattern is now well established: leaked credentials from one platform become the skeleton key for another. Enabling 2FA is no longer an advanced precaution, it is the baseline. Every major custodial service operating in New Zealand offers it for free, and setup takes under a minute.
One caveat worth noting: 2FA is only as strong as the email account behind it.
“If that email is compromised, attackers can often reset passwords or intercept recovery flows and bypass the second factor entirely,” a New Zealand crypto security specialist noted.
For those who want to eliminate custodial risk entirely, self-custody removes the credential attack surface altogether, provided seed phrases are stored properly and never digitised.
As global credential leaks show no sign of slowing, the clearest lesson for Kiwi users in 2026 is simple.
Small security habits deliver outsized protection.