CFOtech New Zealand - Technology news for CFOs & financial decision-makers
New Zealand

Guides

#
artificial intelligence
#
data analytics
#
digital transformation
#
fintech
#
health technologies

Search

Nz suburban dusk street data breach shadowy hacker scene
#
Data Protection
#
Phishing
#
Email Security

Neighbourly data breach: Stuff files High Court injunction

Mon, 5th Jan 2026
Author image
By Mark Tarre, News Chief

Stuff Group has applied for an urgent injunction in the High Court at Auckland following a significant data breach targeting its hyper-local community platform, Neighbourly.

The legal move comes as sensitive user data, reportedly totaling 150GB, has appeared for sale on a cybercrime marketplace on the dark web.

The breach, which was first detected on New Year's Day, forced the media giant to take the Neighbourly platform offline for three days while forensic teams investigated the intrusion.

While the site was restored on January 4, the fallout continues to escalate with the confirmation that granular personal data, including GPS coordinates and private communications - is now in the hands of bad actors.

The breach timeline and "Sprigatito"

According to Neighbourly's Q&A page, the breach was identified on January 1, 2026.

In an initial response described as "an abundance of caution," access to the site was suspended immediately.

By Saturday, January 3, the company had begun emailing its member base, estimated to be between 800,000 and 1 million New Zealanders - to confirm that unauthorised access had occurred.

A threat actor operating under the pseudonym "Sprigatito" has claimed responsibility for the attack.

On a known cybercrime forum, the actor listed a database allegedly containing "213 million lines" of data.

While this figure seemingly dwarfs the actual population of New Zealand, security analysts suggest the number likely refers to individual data points, logs, or forum entries rather than unique user profiles.

However, the volume of data is substantial, reportedly comprising 150GB of information which suggests a near-complete exfiltration of the platform's backend database.

Granular data and GPS exposure

What sets the Neighbourly breach apart from standard credential stuffing attacks is the hyper-local nature of the data involved.

According to the company's official communications and notifications sent to the Privacy Commissioner, the compromised data fields include full names, dates of birth, email addresses, and phone numbers.

Crucially, the leak also exposes residential addresses and GPS coordinates identifying home locations.

The breach also compromised user-generated content, including public posts and private messages between neighbours.

Stuff has emphasized that user passwords and financial information (such as credit card details) were not accessed in the attack.

The platform stores passwords using hashing protocols, and financial data is not held directly on the affected servers.

Despite the safety of login credentials, the exposure of GPS coordinates combined with real names and private message histories poses a significant privacy risk.

Tech commentators have noted that this specific combination of data is highly valuable for social engineering and targeted phishing campaigns, as it allows scammers to construct highly convincing narratives based on a victim's location.

Legal action and containment

In a move to stem the distribution of the stolen material, Stuff confirmed on Monday, January 5, that it had filed proceedings in the High Court against "unknown defendants."

The injunction seeks to legally prohibit anyone from storing, publishing, sharing, or otherwise using the stolen file.

While an injunction cannot physically delete data already downloaded by criminals on the dark web, it provides Stuff with legal leverage to issue takedown notices to hosting providers.

This legal mechanism also prevents legitimate or semi-legitimate platforms from hosting or redistributing the data.

"We take our data privacy responsibilities seriously," a Stuff spokesperson stated over the weekend regarding the incident.

The company has notified the Office of the Privacy Commissioner and the New Zealand Police regarding the criminal access.

User advisory

Neighbourly has advised all users to remain hyper-vigilant regarding their digital safety.

While passwords do not need to be reset immediately based on the breach evidence, the company warns that users should expect an increase in unsolicited contact.

"Be very, very suspicious of any unsolicited emails or phone calls," the company's support team warns.

With the release of names linked to specific addresses, the risk of "courier scams" or impersonation fraud is elevated.

As of Monday morning, the Neighbourly site is fully operational.

Stuff maintains that the security vulnerability used to access the data has been identified and closed, and the platform is now secure.

Related stories
Wise tips five trends reshaping cross-border payments
AI value proving elusive for many Australian firms
Top 10 data governance best practices to implement today
NORBr links with Ecommpay to speed embedded payments
European banks see AI cutting jobs mainly via attrition

Top stories

Banks hit by costly outages as AI drives observability
More flexibility, less ghosting: Here’s what the world of work will look like in 2026
eflow posts 23% client growth & 56 new deployments
Ivo raises USD $55 million to grow AI contract tools
Forrester tips cloud & generative AI to fuel IT boom