Spark says 130,000 customer email addresses may have been compromised in Yahoo's massive data breach.

Yahoo confirmed the 2014 breach on Friday, saying computer hackers swiped personal information from at least 500 million accounts in what is believed to be the biggest digital break-in at an email provider.

The company also confirmed information from some of Spark's Xtra customers was included in the stolen data.

Today, Spark said staff had been analysing the data provided by Yahoo to identify the Spark customers who may be affected.


"We take this matter very seriously and will be progressively communicating directly with these customers who may have been impacted, from today, and over the course of the next 48 hours," Spark said.

"The number of email addresses potentially at risk is 130,000, which is around 15 per cent of the total Xtra email address base. Spark will be asking these customers to immediately change their passwords if they haven't already."

Spark said it had been informed by Yahoo that there was no evidence of the stolen information being used to gain unauthorised access to Spark accounts.

"To maintain a secure online profile, Spark advises all Xtra users to regularly update account settings with a strong, difficult-to-predict password. All Xtra customers who have not changed their password since 2014, or are unsure if they have, should do so now on the Spark website using is this link.

"As previously announced, we are currently in the process of preparing to move all of our email systems back home to New Zealand.

"If customers have already registered to have their email moved to SMX, they don't need to do that again. Similarly if customers have changed their password as part of the SMX registration process they won't need to do it again."

The stolen account information may have included names, email addresses, telephone numbers, dates of birth, and hashed passwords and, in some cases, encrypted or unencrypted security questions and answers.

Privacy Commissioner John Edwards said it was not yet clear when Yahoo became aware of the hack.

"We are grateful that Spark quickly alerted us about this breach and immediately began taking action to resolve it," Edwards said.

"However, the fact that Yahoo may have known about the breach for a number of months before alerting the public shows why we need mandatory breach notification.

"Every day counts in a data breach and agencies need greater incentive to take a leaf out of Spark's book by promptly telling customers that their personal information has been compromised."