The YahooXtra email service is the victim of two separate, but potentially related "malicious" attacks, Telecom said yesterday.
The security breach, which began on Saturday morning, saw emails sent to everyone on users' contact lists, asking them to click on a link directing them to an online advertisement.
Telecom said the attacks were believed to have similarly affected other Yahoo mail users using Yahoo servers.
The first attack was a phishing attempt, Telecom said, where some customers received emails purportedly from people they knew containing a link to a suspicious website.
Clicking on the link sent similar emails to certain contact on their address lists.
The second attack has compromised the security of some customers, making it possible for emails to be sent from their accounts without their knowledge, Telecom said.
While it was difficult to know how many accounts had been affected, Telecom believed it was a "small percentage" of the total customer base.
It did not offer any additional advice to earlier warnings for victims to change their passwords.
Telecom's CEO retail Chris Quin said while Yahoo's security was sophisticated, no system was 100 per cent bullet proof.
"... As we have seen from this incident, cyber-attacks by global criminals are becoming increasingly sophisticated.
"We are currently working with Yahoo! to investigate further," Mr Quin said.
"We would like to apologise to all our customers for any distress or inconvenience caused and assure them that we are doing all we can, in conjunction with Yahoo!, to resolve this incident."
Despite claims that a small percentage had been affected, YahooXtra customers have been saying that the spam issue plaguing their mailboxes is worse than the email service is admitting and it's still happening, despite assurances it had been fixed.
The company said it was told early Sunday that the issue had been resolved, but customers told the NZ Herald the problem was far from over.
Carl Black disputed Telecom's claims that customers must have clicked a link.
"I got spam from my dead brother's account.
"He obviously hasn't been clicking any links, and for Telecom to blame him for this is just insulting," he said. APN , APNZ