Short answer: If staff or business account details may be exposed, firms should check password reuse, MFA coverage, Microsoft 365 sign-ins, mailbox rules, external forwarding, and access to client or finance folders. The goal is to reduce the chance that one reused password becomes a wider firm incident.
What this helps you check
Use this as a practical starting point for a calmer internal review.
- Password reuse and exposed credentials
- MFA coverage and sign-in alerts
- Mailbox rules, forwarding, and administrator access
The National Cyber Security Centre's Own Your Online service is currently warning New Zealanders that millions of New Zealand account details are exposed to scammers. Its 30 June 2026 update on stolen passwords, together with recent NCSC material on data leaks and business email compromise, is a useful prompt for professional services firms.
This is not a reason for panic. It is a reason to check the everyday controls that protect email, client files, finance workflows, and staff identities.
For legal, financial, and advisory firms, account exposure can become a firm-level issue when work emails are reused on personal sites, passwords are shared across services, MFA is missing, or old mailbox rules quietly redirect sensitive conversations.
The current NZ signal
On 22 June 2026, Own Your Online summarised NCSC's Quarter 1 2026 Cyber Insights message: high-profile data leaks are a reminder that organisations cannot be complacent about protecting sensitive information.
Own Your Online's business guidance also links exposed or reused details with familiar business risks: business email compromise, phishing, ransomware, and theft of sensitive or confidential data. Earlier NCSC material warned of a spike in business email compromise affecting the financial services industry and encouraged checks of auto-forwarding rules, filtering rules, and unusual login behaviour.
The EQIQ angle is deliberately narrow: when account details are exposed somewhere else, the firm should still know whether those details can be used to reach its systems.
1. Separate work and personal accounts
A work email address should not become the login identity for personal shopping, file-sharing, social media, or trial software. If that external service is breached, the firm's address becomes part of a list attackers can test or target.
Set a clear rule for staff: work accounts are for work systems. Personal services should use personal accounts. The rule is simple, but it closes a common path from an unrelated breach into a professional services environment.
2. Check password reuse before it becomes urgent
One exposed password is much less damaging when every important account uses a different password. Firms should encourage or provide a reputable password manager, remove shared passwords where possible, and make unique passwords the normal way of working.
Start with the systems that matter most: Microsoft 365, practice-management tools, finance platforms, client portals, remote access, domain hosting, payroll, and administrator accounts.
3. Make MFA coverage visible
Multi-factor authentication should be enforced on Microsoft 365 and other critical systems, especially for administrators, partners, finance users, shared mailbox owners, and anyone handling client records.
Do not assume MFA is universal because it is enabled for some people. Review the actual coverage, exceptions, legacy authentication settings, and recovery methods. Exceptions often become the weak points.
4. Review Microsoft 365 sign-ins and mailbox rules
If credentials have been exposed, the first practical checks are often inside Microsoft 365: unusual sign-in locations, impossible travel, unfamiliar devices, new inbox rules, hidden filtering rules, external forwarding, and unexpected mailbox delegates.
These checks matter because business email compromise often works quietly. Attackers may watch a mailbox, redirect finance emails, hide warnings, or use a real account to send credible phishing messages to clients and contacts.
5. Reduce the blast radius around sensitive folders
Credential exposure is more serious when the affected account can see too much. Review access to client files, finance folders, HR records, archived matters, leadership documents, and Teams channels with broad membership.
Old sharing links, unmanaged guest access, and inherited permissions can quietly expand the impact of a single compromised account. Least-privilege access is not a slogan; it is how firms keep a small issue from becoming a large one.
6. Practise the first response
A short exercise is enough to expose gaps. Pick a realistic scenario: a staff member's work email appears in a breach, a partner receives a suspicious MFA prompt, or a shared mailbox starts sending unusual messages.
Then test the basics. Who disables sessions? Who checks mailbox rules? Who reviews file access? Who contacts affected clients or suppliers if needed? Who records the decision trail? Who decides whether external advice is required?
Common questions
Does an exposed account detail mean a firm has been breached?
No. It can mean an email address, password, or related detail appeared in another breach. The practical response is to check password reuse, MFA, sign-in activity, and mailbox controls.
Why does this matter for professional services firms?
Legal, financial, and advisory firms rely on email, Microsoft 365, client files, finance workflows, and trust in identity. Exposed credentials can make phishing, account takeover, and business email compromise easier.
What should firms check first?
Useful starting points include MFA coverage, Microsoft 365 sign-ins, mailbox forwarding rules, inbox filtering rules, administrator accounts, shared mailbox delegates, and access to sensitive client or finance folders.
Is this article legal, financial, regulatory, privacy, or compliance advice?
No. It is general information about technology risk and operational readiness, not legal advice, not financial advice, not regulatory advice, not privacy advice, and not compliance advice. Firms should take appropriate professional advice for their own obligations and circumstances.
Source note
This article is based on official New Zealand Government cyber guidance from the National Cyber Security Centre and Own Your Online: Own Your Online's 30 June 2026 stolen-password update, its 22 June 2026 data-leak update, the Own Your Online business guidance page, and its 2 March 2026 warning about business email compromise affecting the financial services industry.
Compliance note: This article is general information only. It is technology-risk and operational-readiness guidance, not legal advice, not financial advice, not regulatory advice, not privacy advice, not cybersecurity assurance, and not compliance advice. Firms should take appropriate professional advice for their own obligations and circumstances.
Book a Conversation
