Reusing passwords, possibly a NZ data breach and latest activities on Geekzone

Forums › Off topic › Reusing passwords, possibly a NZ data breach and latest activities on Geekzone

1 | 2 | 3

richms

29098 posts

Uber Geek
+1 received by user: 10208

Trusted

Lifetime subscriber

#3412609 8-Sep-2025 15:18

Or possibly this which has come to light from mercury on reddit. https://www.reddit.com/r/newzealand/comments/1nb8osd/mercury_energy_customers_heads_up_your_data_is/

Richard rich.ms

Ragnor

8279 posts

Uber Geek
+1 received by user: 585

Trusted

#3412612 8-Sep-2025 15:22

MadEngineer:

freitasm:

It is a two way approach. I use both the Cloudflare detection and the haveibeenpned password APi. This check happens on login only.

This should be a feature added to any website dealing with client logins imho. I’d be interested to know if anyone has implemented this outside of cloudfare hosted sites.

Yes me! From at least 5 years ago, I always implemented both a check to haveibeenpwned api and https://github.com/dropbox/zxcvbn (some of the language specific ones are updated unlike the original dropbox one) in case haveibeenpwned is unavailable. This is for checking all new/changed password's that users are trying to set in our system.

I still can't turn on the new leaked credentials check in our Cloudflare account since the new WAF version migration, I am stuck in AI support response hell - where it gives me info about the old WAF version or just tells me to turn it on... I would if the option was showing where it's supposed to!

Ragnor

8279 posts

Uber Geek
+1 received by user: 585

Trusted

#3412615 8-Sep-2025 15:28

freitasm:

It doesn't have to use the Cloudflare feature. Just a function to check haveibeenpwned API as I did. I am just running both in case one misses a leak, but I'd say having a haveibeenpwned API function would be enough.

I'm sure Trade Me could spend 30 minutes of a dev to implement this.

Yes probably some concerns with putting an external dependency in a critical path, but I just gave the request in ours a short timeout and fallback to carry on if the api isn't available.

Also at trademe scale/load they'd have to pay for higher rate limits I guess.

freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41030

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#3412632 8-Sep-2025 15:55

Ragnor:

MadEngineer:

freitasm:

It is a two way approach. I use both the Cloudflare detection and the haveibeenpned password APi. This check happens on login only.

This should be a feature added to any website dealing with client logins imho. I’d be interested to know if anyone has implemented this outside of cloudfare hosted sites.

Yes me! From at least 5 years ago, I always implemented both a check to haveibeenpwned api and https://github.com/dropbox/zxcvbn (some of the language specific ones are updated unlike the original dropbox one) in case haveibeenpwned is unavailable. This is for checking all new/changed password's that users are trying to set in our system.

I still can't turn on the new leaked credentials check in our Cloudflare account since the new WAF version migration, I am stuck in AI support response hell - where it gives me info about the old WAF version or just tells me to turn it on... I would if the option was showing where it's supposed to!

Can't you turn it on because it's greyed out, or you can't find where to toggle it, or how to use it?

Send me a PM and let me know if you need help and I can get some screenshots.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41030

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#3412633 8-Sep-2025 15:57

Well, last weekend I sent out 22k emails to let people know about the TV giveaway.

We had quite a few logins from people who haven't visited Geekzone in quite some time. And hundreds of accounts flagged as "compromised".

I hope these people realise they need to update their passwords everywhere.

I was worried that one account is a government account.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

MadEngineer

4591 posts

Uber Geek
+1 received by user: 2570

Trusted

#3412634 8-Sep-2025 16:07

May want to remove that last little detail and this post if so. It’d be trivial to look up govt email addresses in breaches, see which public profile may have IT interests and you’d then know their password for GZ. High chance that person will be careless and use the same pw everywhere.

You're not on Atlantis anymore, Duncan Idaho.

AliExpress

Shop now on AliExpress (affiliate link).

MichaelNZ

1594 posts

Uber Geek
+1 received by user: 485

Trusted

Net Trust Ltd

#3413531 10-Sep-2025 21:25

I have had website accounts compromised a few times.

Must be a grave disappointment to them the passwords were useless anywhere else.

WFH Linux Systems and Networks Engineer in the Internet industry | Specialising in Mikrotik | APNIC member | Open to job offers | ZL2NET

jamesrt

1663 posts

Uber Geek
+1 received by user: 941

ID Verified

Trusted

Lifetime subscriber

#3414055 12-Sep-2025 10:39

richms:

Or possibly this which has come to light from mercury on reddit. https://www.reddit.com/r/newzealand/comments/1nb8osd/mercury_energy_customers_heads_up_your_data_is/

Now notified: https://www.geekzone.co.nz/forums.asp?forumid=86&topicid=322645&page_no=1#3414054

1 | 2 | 3