Yahoo's Xtra email service has been raided by attackers who appear to have stolen address book contacts, spamming scores of New Zealand customers in what could be one of the biggest attacks of its kind in the country.
The attackers are suspected to have exploited a vulnerability within the company's network to gain access to the user contact details of the NZ-based service.
The company said the hole has now been closed. Spokeswoman Joanne Jalfon told NBR online it was a "possibility" that address books were stolen but said the company "had no evidence that this has occurred".
But retail chief executive Chris Quin told 3News a spammer had 'got into Yahoo and distributed a phishing email across a number of contacts in that customer base,' which was then distributing itself through users' contact emails.
The company did not respond to further requests for comment.
Institute of IT Professionals chief executive Paul Matthews told NBR it was clear Yahoo's security had been breached.
"The institute has been notified by a number of members that Yahoo appears to have been the subject of a major cross-site scripting (XSS) attack in recent weeks which now appears to have been mutated to Xtra email over the weekend," Matthews said.
"A phishing link took them to a site that appeared to be a news story but in the background, exploited the Yahoo vulnerability to gain access to their Yahoo mailbox.
"Once it had control of the account it then appears to have sent itself to everyone in the victim’s address book."
He said it was "quite possible" attackers downloaded contact lists of all victim users.
If contact lists were stolen, the spam surge could continue.
"There's not a lot that Yahoo can do if that's the case," HackLabs director Chris Gatford said.
"They could put additional spam filtering on accounts, or perhaps filter out spamming accounts. You would think they would have the tech in place."
Angry users took to internet forums and social media to vent anger at the spam surge with some claiming to still be receiving the emails despite Yahoo announcing it had fixed the problem.
Yahoo earlier this month patched a Document Object Model (DOM)-based cross-site scripting (XSS) vulnerability that was capable of running in multiple browsers once Yahoo Mail users open spammed malicious links.