↪️ You may have been redirected here when trying to visit the Hatch app
We've temporarily restricted web traffic from some regions. Thank you for your patience while we work to restore normal service.
Suspected Stuffing Attack
One of the ways that Hatch keeps your money secure is through automated detection of potential bots and unusual login patterns. We were alerted to suspicious activity on our platform on the morning of 20 August that we suspect was a credential stuffing attack. We have taken preventative measures to limit the harm this attack could cause that may impact your usual use of Hatch:
A CAPTCHA is now required to ensure all logins are from humans - you may see a verification page before you’re redirected to Hatch.
Some accounts have been frozen after suspicious login attempts, those impacted will see a message when you attempt to log in. Check your inbox for details of how to unlock your account, or get in touch with our support team.
Withdrawals placed on 20 August 2025 will be held in the Hatch bank account for an additional day while we carry out additional checks
🚨 Important: If you ever suspect unauthorised activity on your Hatch account, contact our customer service team hello@hatchinvest.nz
If you find you’re unable to reach the Hatch site, please sit tight while we work to restore normal service, and try again soon. If you have an urgent issue, get in touch with our support team by emailing hello@hatchinvest.nz
What can I do if my account is frozen?
If your account has been frozen, a message will appear when you try to log in. To restore your account:
Check your email for a message from Hatch with a link to verify your identity, or;
If you haven’t received an email you’ll need to book a call with our customer experience team: https://calendly.com/hatch_team/chat-with-hatch-team
An additional layer of defense that you can add right now is using a unique password for each account (preferably with a password manager) and enabling two-factor authentication wherever possible.
🚨 Important: Multi-factor authentication (MFA) or 2FA is your best protection. If you haven’t enabled this yet, set up 2FA now.
What is a stuffing attack?
A stuffing attack (also called credential stuffing) is a type of cyberattack where attackers use automated tools to try stolen username/password combinations across multiple websites and services. This differs from a brute force attack, which tries to guess passwords through systematic attempts; stuffing attacks use known compromised credentials.
How a stuffing attack works
Attackers get large databases of compromised emails and passwords from previous data breaches.
They use automated bots to systematically test these username/password pairs on various login pages. Attackers can test thousands of credentials per minute.
Studies show 65% of people reuse passwords across multiple accounts, so some attempts succeed.
Successfully compromised accounts are then used for fraud, data theft, or sold to other criminals.