Spark is in the process of contacting Xtra customers whose account security may have been compromised in Yahoo's massive data breach.
Yahoo confirmed the 2014 breach in an announcement this morning, saying computer hackers swiped personal information from at least 500 million accounts in what is believed to be the biggest digital break-in at an email provider.
The company also confirmed information from some of Spark's Xtra customers was included in the stolen data.
Spark was working closely with Yahoo to identify any customers who may be affected spokeswoman Michelle Baguley said.
LISTEN: Paul Spain: The who and why of Yahoo hack
Yahoo had no evidence that the stolen bcrypt-protected passwords or security questions and answers were used to gain unauthorised access to Spark accounts.
The stolen account information may have included names, email addresses, telephone numbers, dates of birth, and hashed passwords and, in some cases, encrypted or unencrypted security questions and answers.
Yahoo's investigation suggests that information did not include unprotected passwords.
"Spark will be communicating directly with customers who we believe may have been impacted as soon as we have more information," Baguley said.
"We would like to remind all customers to change their password and security questions for their Xtra account and any other account on which you used the same or similar information."
Spark advised all Xtra users to regularly update their account settings with a strong, difficult-to-predict password.
Baguley advised all Xtra customers who had not changed their password or security questions since 2014, or are unsure if they have, to do so on the Spark website using this link: www.spark.co.nz/changepassword.
The company was in the process of preparing to move all of their email systems back home to New Zealand.
The breach follows a list of woes for Xtra users.
In 2014 thousands of customers were temporarily locked out of their accounts until they upgraded their security settings following a spate of security issues.
The email service had been badly hit by spammers, forcing some email accounts to be locked down until users changed their password.
In 2013, Xtra users were hit with waves of spam attacks, one of which forced Spark, then Telecom, to cancel more than 60,000 passwords to affected accounts.
Yahoo did not explain the delay in uncovering a heist that it blamed on a "state-sponsored actor", parlance for a hacker working on behalf of a foreign government.
The Sunnyvale, California, company declined to explain how it reached its conclusions about the attack for security reasons, but said it is working with the FBI and other law enforcement.
Yahoo began investigating a possible breach in July, around the time the tech site Motherboard reported that a hacker who uses the name "Peace" was trying to sell account information belonging to 200 million Yahoo users.
Yahoo did not find evidence of that reported hack, but additional digging later uncovered a far larger, allegedly state-sponsored attack.