Telecom has admitted its outsourced YahooXtra email service has been compromised by hackers resulting in some YahooXtra customer accounts being hijacked to send out malicious email.
It is advising all YahooXtra customers to change their passwords.
The company initially blamed a deluge of compromised accounts on a successful phishing attack, saying customers were tricked into clicking on scam emails, but has now acknowledged a "second attack" that was outside customers' control.
"We understand from our own technical investigations that the security of some YahooXtra email customer accounts may have been compromised, making it possible for emails to be sent from these accounts without the customers' knowledge," the company said in a statement.
Telecom said it could not tell how many customers had been affected but it believed it was a small percentage of its approximately 500,000-strong customer base.
Telecom retail boss Chris Quin, said it was working with Yahoo to investigate further. "We would like to apologise to all our customers for any distress or inconvenience caused and assure them that we are doing all we can, in conjunction with Yahoo, to resolve this incident."
Institute of IT professionals CEO Paul Matthews said Yahoo has been subject to a well-documented attack. "There is no doubt whatsoever [attackers] are using actual contact details from Xtra email accounts."
Matthews said the Institute is aware Yahoo had been subject to a major cross-site scripting (XSS) attack over the last few weeks which it said had been patched a few days ago.
"We've received notes from many of our members who have encountered this and the subsequent Xtra issues on client sites.
"Given the nature of these emails - sent indisputably to Xtra contact lists, in some cases to people who haven't been in contact for a long time and others very recently - it's highly likely that either the issue wasn't patched successfully, a new attack vector has been found or more likely, contact lists have been harvested during the initial attack to enable this secondary attack on Xtra email holders.
"According to security sources, this original attack appears to have been due to a vulnerability in the Yahoo Developers Network, due to blog software that hadn't been updated for at least nine months. The fact that there was an XSS vulnerability at Yahoo has been known since at least November," he says.
"So assuming this is the cause of the attack, it would appear to be due to a vulnerability at Yahoo and very difficult for users to avoid. This is a major attack and appears unrelated to any of the standard 'from Xtra account services' phishing emails which are regularly circulated."
One victim, YahooXtra customer Michael Beckett, said scam emails were sent from his email address while his computer was turned off and he was out on a boat.
"I went to change my password, but that kept on crashing and when I went to delete my contact lists - which is what the hack had programmed their malware to exploit - I couldn't delete the addresses."
Telecom says neither it nor outsourced email provider YahooXtra are responsible for a massive malware attack on Kiwi internet users that began over the weekend.
Many internet users have received rogue emails from friends and colleagues who are YahooXtra customers, containing links to websites that are designed to infect their computers with malware.
Telecom says a sophisticated phishing attack on its customers, rather than any breach of YahooXtra's own security, appeared to be responsible.
Telecommunications Users Association chief executive Paul Brislen said a "significant" number of YahooXtra customers - possibly in the thousands - appeared to have had their computers compromised.
Brislen said Telecom's explanation appeared unlikely as the victims include many professionals who he would not normally expect to fall for phishing scams.
But Telecom spokeswoman Jo Jalfon pointed the finger in the direction of a phishing scam that was also reported to have affected Google, the world's largest email provider, that was outlined in a Whaleoil blog.
The perpetrators of that scam appeared to be able to "guess" email addresses that might be known to others and included them in the "To" field of the phishing emails - making it more likely recipients would trust and open them.
That malware attack had "organised crime written all over it", according to the blog, and appeared designed to steal people's credit card details.
Jalfon said it did not know had many customers been affected. The advice to those who have been affected is to change their Xtra passwords.