-
Neighbourly, a New Zealand-based platform that connects local communities and is owned by Stuff Group Ltd, recorded a data breach on January 1, 2026.
-
The bad actors made away with 213 million or 150 GB lines of data containing members names, addresses, GPS Coordinates and commercialized it on a dark web marketplace.
-
The site pulled down the site to address the vulnerability and restored it after 3 days while filing for a court injunction against the use of the stolen data.
The personal information of Neighbourly users, such as GPS locations, email addresses, and even names, is currently up for sale on the dark web. Apart from these, some very private messages and posts made by the users are all exposed to dark web users to buy.
The user’s information hit the dark web markets over Christmas, and according to a website that monitors dark web activities, it was an influx of “massive database of information.”
This incident highlights the persistent and evolving threat of cybercrime marketplaces, which have expanded far beyond selling data to offering disturbingly personalized forms of cyber exploitation, as detailed in our report on the dark web’s disturbing new frontier: Selling human control capabilities.
Neighbourly Shut Down Its Operations Following A Data Breach
On January 2, 2026, Neighbourly went down when its operators noticed that its users’ data was up for sale on the dark web. According to Daily Dark Web, a user came up with claims of possessing over 213 million lines of data from Neighbourly and plans to sell them on a cybercrime marketplace.
An online news site, RNZ, reported on January 2 that the site’s spokesperson made a statement on Thursday, January 1, revealing the operators were aware of these claims and had started investigating it with another data security team.
While the investigations were ongoing, the operators decided to shut down the activities on the site (Neighbourly.co.nz) to be on the safe side. Apart from shutting the site down, the spokesperson disclosed that they contacted the members of the site to bring them up to speed on the matter.
They also warned their users of the increase in bad actors’ operations during the holidays and shared some strategies for avoiding phishing attempts. As of the time of the report on January 2, Neighbourly had yet to confirm if an actual data breach occurred because the bad actors didn’t make any demands on its parent company, Stuff Group, directly.
However, it notified the Privacy Commissioner’s office of the situation’s report and also promised to update its users as the investigators unveil more details of the claims
Data Breach Confirmed After Thorough Investigations with External Data Security Experts
After investigating the claims, Neighbourly shared an update on January 3 confirming the data breach but assuring its members that its operators had contained the breach before the hackers could execute further damage.
In its official update, the site confirmed that unauthorized access took place and the bad actors made away with users’ full names, their email addresses, forum posts, members’ communications, and GPS coordinates.
Fortunately, the access didn’t extend to the members’ passwords, but their business addresses and ads of public events were stolen. Neighborly also wrote that it will seek a “court injunction’ to make sure that no one will use the members’ information.
It also apologized to the members concerning the theft and assured them that the security team has fixed the loophole that made the theft possible, making the site secure once again for use.
Neighborly Resumes Operations Following the Data Breach Investigations
Neighborghly is back online after its investigations. In a report by RNZ Media, the parent company of the site Stuff Group filed for an urgent injunction in the Auckland Federal High Court on January 5 after bringing up the site a day before. The aim of the court injunction is to prohibit the publishing, storing, sharing, or using of the stolen information.
Even though the site cannot delete the data as it has already become accessible to the criminals, the parent company Stuff Group can issue “takedown notices” to hosting providers. This legal and technical approach mirrors tactics used by law enforcement agencies worldwide to disrupt the infrastructure of cybercrime, such as in a recent, high-profile international operation where Dutch police shut down a criminal host used for dark web activities. Further, this legal leverage will ensure that sites that are legitimate or semi-legitimate ones can not host or redistribute the data.
However, Neighborly’s support team has advised users to be vigilant during this period regarding their safety on the internet. Due to the names and addresses in the hands of scammers, unsolicited emails and phone calls might be on the increase. Also, bad actors might start executing impersonation fraud or courier scams with the information in their hands.
