
How Exposed Am I? Legit NZ Government Tool Guide
Chances are your email address has cropped up in a data breach at some point — it happens to millions of people. If you’ve been hearing about the New Zealand government’s “How Exposed Am I?” tool and wondering whether it’s the real deal, you’re in the right place. This guide walks through exactly what the tool does, how it works, and what to do with the results — no jargon, no fluff. The National Cyber Security Centre (NCSC) reports that over 4.3 million New Zealand account details have been exposed to scammers, making this a timely question for anyone with an online presence.
Exposed NZ accounts: 4.3 million ·
Data points analyzed: 73 billion ·
Government backing: NCSC New Zealand ·
Associated service: Own Your Online
Quick snapshot
- Official NZ government tool (NCSC)
- Backed by .govt.nz domain and NCSC’s Own Your Online platform (Own Your Online)
- Cross-references data from Have I Been Pwned (NCSC)
- How exactly the exposure score is calculated
- Whether the score includes data beyond email-based breaches
- Tool launched during Cyber Smart Week (Digital Watch Observatory)
- NCSC mandated 10 Minimum Standards for public sector with October 2025 deadline (Industrial Cyber)
- Run the check at howexposedami.govt.nz
- Update any passwords that appear in breach databases
- Enable two-factor authentication on critical accounts
Key facts about the How Exposed Am I tool and its national impact are summarized in the table below.
| Detail | Information |
|---|---|
| Official Site | www.howexposedami.govt.nz |
| Parent Program | Own Your Online |
| Data Analyzed | 73 billion points |
| NZ Impact | 4.3 million accounts |
| Operator | NCSC New Zealand |
| Data Source | Have I Been Pwned |
| Parent Agency | GCSB |
| Support Line | 0800 114 115 |
Is How Exposed Am I legit?
This is usually the first question people ask, and it’s a fair one — the internet is full of fake breach checkers that steal the data you enter. The short answer is yes, How Exposed Am I is a legitimate government tool run by New Zealand’s National Cyber Security Centre, which sits inside the Government Communications Security Bureau (GCSB) (GCSB Official Report). The official tool URL ends in .govt.nz, and the NCSC’s own website promotes it as part of its cyber resilience mission.
Government backing from NCSC
NCSC is New Zealand’s primary authority on cyber security for individuals and organizations. The agency publishes annual threat landscape reports, runs incident reporting services, and coordinates national cyber resilience efforts (NCSC Official Website). Having NCSC behind this tool means the methodology and data handling follow official government protocols.
Own Your Online connection
The tool sits inside the Own Your Online platform, which NCSC created specifically to raise cyber security awareness for everyday New Zealanders (Own Your Online Platform). This is not a commercial product or a data harvesting operation — it’s a public service designed to show people what scammers already know about them.
How Exposed Am I is a verified government service. If you’re checking it through the official .govt.nz domain, you’re safe — and you’re getting information that could genuinely protect your accounts.
Should I worry if I have been pwned?
“Pwned” sounds alarming, but it simply means your email address has appeared in a publicly available data breach. It does not automatically mean your account has been hacked, your passwords have been stolen, or someone is currently using your information. However, it does mean the data associated with your email — potentially passwords, phone numbers, or security questions — is now in the hands of people who trade in leaked information.
What pwned means
When Have I Been Pwned flags your email, it means that database — containing usernames, passwords, or other details — has been exposed or stolen from a service you used. According to NCSC, information exposed on the internet is easy for scammers to access and can make accounts more susceptible to compromise (NCSC Official Announcement). The risk level depends on what data was exposed and whether you reused passwords across different sites.
Steps to check and respond
If the tool shows you’ve been pwned, don’t panic — but act quickly. Change the password for the affected account if you still have access to it. If you reused that password elsewhere, change those accounts too, starting with your most critical ones: banking, email, and social media. Enable two-factor authentication wherever possible, and keep an eye on financial statements and login notifications.
NCSC recently alerted 26,000 New Zealanders whose devices were infected with Lumma Stealer malware — software designed to steal sensitive information like email addresses and passwords (NZ Herald Report). If you’ve been pwned, assume your credentials may be circulating and lock things down now.
How can I check if my passwords are safe?
The How Exposed Am I tool checks whether your email appears in known breaches, but it doesn’t actively test your passwords for strength or reuse. For a broader picture of password health, you should cross-reference the results with other tools and practices.
Use Have I Been Pwned
The tool itself draws data from Have I Been Pwned (HIBP), the same database Troy Hunt maintains for global use (NCSC Tool Announcement). You can visit haveibeenpwned.com directly to see which specific breaches included your email, what data was exposed, and when the breach occurred.
Google Account password check
If you use a Google Account, Google’s Password Manager includes a breach detection feature that alerts you if your saved passwords have appeared in known leaks. This works independently of the NCSC tool and gives you a second layer of visibility into your credential exposure.
No single tool gives you a complete picture of your password safety. How Exposed Am I tells you if you’re in a breach. A password manager tells you if you’re reusing passwords. Using both together — plus two-factor authentication — covers most of the real-world risk.
What is the meaning of password exposure?
Password exposure means your password has been found in a public data breach — either in plain text or, more commonly, in a hashed form that attackers can crack relatively quickly with modern computing power.
Definition and risks
When a service you use suffers a breach and your password is part of it, that password is now “exposed.” Even if the breach happened years ago and the service has since improved its security, the damage may already be done if you never changed the affected password. Attackers frequently use credential stuffing — taking lists of exposed passwords and trying them across many websites — because people still reuse passwords.
Connection to personal data leaks
Password breaches rarely happen in isolation. The same breach that exposes your password often includes your email address, username, date of birth, or security questions. Combined, this data gives scammers enough to impersonate you, answer security questions, or guess passwords on other sites. The How Exposed Am I tool shows you which breaches have included your information, helping you understand the scope of what is already public.
A password appearing in a breach doesn’t mean it was cracked — but attackers have the time and tools to do it. The safest assumption is that any exposed password is compromised, and you should treat it as if someone already has it.
Does pwned mean hacked?
Not exactly. “Pwned” means your data appeared in a breach that is now public or circulating among threat actors. “Hacked” implies someone has actively used your credentials to access an account. These are different states with different risks, but the line between them narrows quickly if you don’t act.
Difference between pwned and hacked
When NCSC alerts you that your email was in a breach, it means the data was exposed — it does not confirm unauthorized access. “Hacked” means an attacker actually used your credentials or personal information to log in, change settings, or conduct fraud. Many people are pwned without ever being hacked, especially if they change passwords quickly after a breach is disclosed.
Next steps after pwned alert
The standard response is straightforward: change the password for the affected service immediately, then check whether you used that same password elsewhere. Enable two-factor authentication on the affected account if it is available. Monitor your email and financial accounts for unusual activity over the following weeks. NCSC recommends multi-factor authentication combining multiple identity confirmation methods for accounts that support it (NCSC Security Guidance).
Upsides
- Free, government-backed check with no account needed
- Uses Have I Been Pwned database covering billions of records
- Gives a clear starting point for locking down exposed accounts
- Part of a broader NCSC cyber resilience framework
- Available through the trusted Own Your Online platform
Downsides
- Only checks email-based exposure — no device scanning
- Exposure score methodology is not publicly detailed
- Results depend on whether your email is in HIBP, which is not exhaustive
- Does not monitor for new breaches after your check
How to use How Exposed Am I step by step
The process is straightforward and takes only a few minutes. Here is what to do:
- Visit the official site. Go to www.howexposedami.govt.nz (make sure it shows the .govt.nz domain). The tool is accessed through NCSC’s Own Your Online platform (NCSC Official).
- Enter your email address. The tool asks for an email address to check against public data breach databases. You do not need to create an account or provide any other personal information.
- Review your exposure score and breach details. The tool shows which breaches included your email, what data was exposed, and an overall exposure rating. NCSC emphasizes securing critical accounts first: banking, email, and social media (NCSC Official).
- Follow the tool’s recommendations. This typically includes changing passwords for affected accounts, enabling two-factor authentication, and reviewing account settings for unusual activity.
- Check again if your situation changes. If you sign up for new services, change emails, or hear about a major breach, run the check again to stay current.
NCSC also provides incident reporting via an online tool and phone support at 0800 114 115 if you believe you have been targeted or have experienced a cyber incident (NCSC Incident Reporting).
Over 4.3m NZ account details are exposed to scammers.
— NCSC (New Zealand’s National Cyber Security Centre)
The software is designed to steal sensitive information, like email addresses and passwords.
— Michael Jagusch, NCSC Chief Operating Officer (Insurance Business Mag)
How this fits into NCSC’s broader cyber security standards
The How Exposed Am I tool is not an isolated initiative — it sits within a wider set of NCSC programs aimed at raising New Zealand’s baseline cyber resilience. NCSC has mandated 10 Minimum Cyber Security Standards for public sector agencies, with compliance required by October 2025 (Industrial Cyber Report). These standards include a Capability Maturity Model (CMM) requirement with a minimum level at CMM2 Planned & Tracked — essentially requiring agencies to have documented, tracked cybersecurity processes rather than ad hoc responses.
The standards are positioned between the New Zealand Information Security Manual (NZISM) and the NCSC Cyber Security Framework, filling a gap for baseline requirements that smaller public sector bodies can realistically implement. They require cybersecurity policies covering acceptable use, routine compliance assessments, and senior leadership support for security awareness (Industrial Cyber Standards Analysis).
For everyday New Zealanders, the practical implication is that the government is treating cyber exposure as a national-level problem, not just an individual one. The 4.3 million exposed accounts figure is not abstract — it represents real people whose data is circulating and who may face targeted scams as a result.
What device gets hacked the most?
Desktop computers and laptops historically account for the most breach activity because they store more login credentials and have broader software access. However, mobile devices are increasingly targeted, especially through malicious apps and phishing links. The How Exposed Am I tool checks email-based exposure regardless of which device you use, so the platform matters less than whether your credentials have appeared in a breach.
Can I run a test to see if my phone is hacked?
How Exposed Am I focuses on email-based exposure from data breaches rather than device-level scanning. To check if your phone may be compromised, look for signs like unexpected battery drain, unusual data usage, unfamiliar apps, or messages you did not send. For suspected malware like Lumma Stealer — which NCSC linked to 26,000 infected New Zealand devices — run a reputable mobile security app and contact NCSC support at 0800 114 115.
How do I know if my identity has been cloned?
Signs of identity cloning include unexpected financial transactions, credit applications you did not file, changes to your account settings you did not make, or receiving bills for services you did not use. Regularly checking your credit file through a service like Centrix or Equifax in New Zealand can help you spot fraudulent activity early. If you suspect identity cloning, report it to your bank and to Cert NZ.
What is considered the safest password manager?
The safest password managers use zero-knowledge architecture — meaning the service cannot see your passwords — and support two-factor authentication. Well-regarded options include Bitwarden, 1Password, and KeePass. The NCSC does not endorse a specific commercial product but recommends using a password manager to generate unique, strong passwords for every account rather than reusing passwords.
Am I being scammed?
Common signs of a scam include unexpected contact demanding urgent action, requests for payment via gift cards or wire transfer, links that ask for passwords or personal information, and offers that seem too good to be true. If you are unsure, stop communication, verify the sender through official channels, and report suspicious activity to Cert NZ at cert.govt.nz or 0800 237 869.
Is getting paid for surveys safe?
Legitimate survey sites pay small amounts for opinions and do not ask for bank details upfront. Red flags include requests to pay a fee to access surveys, promises of large earnings with minimal effort, and demands for your IRD number or passport before you have earned anything. If a survey site asks for payment to join or requests sensitive documents early, it is likely a scam.
How exposed am i login?
You do not log in to How Exposed Am I — the tool only requires you to enter an email address to run a check. There is no account creation, password, or personal details required beyond the email you want to verify. You can access the tool directly through www.howexposedami.govt.nz or via the Own Your Online platform at ownyouronline.govt.nz.
Related reading: What Is a VPN? · What Is VPN Encryption?