New Zealand telco Spark is working with the web company Yahoo to find out if its Xtra customers are affected, after one billion emails were hacked in a 2013 attack.
Yahoo revealed today the stolen user account information might have included names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers.
Payment card data and bank account information was not stored in the system believed to be affected, the company said.
It said it believed the incident was separate from its previously disclosed breach affecting 500 million users.
Spark said customers who had changed their password since August 2013 were not likely to be affected, but those who had not should do so now.
It said privacy questions and answers for New Zealand customers were not stored by Yahoo.
The breach was believed to be the world's biggest known cyber breach.
Yahoo, which is being acquired by Verizon Communication Inc for $4.83 billion, said an unauthorised third party had stolen the data and it was working closely with law enforcement.
The company said it has not been able to identify the intrusion associated with the theft.
Yahoo, whose shares were down 2.5 percent in extended trading, said it was notifying potentially affected users and had taken steps to secure their accounts.
New Zealand's Privacy Commission said the latest hacking revelations were a disaster.
Commissioner John Edwards said he was concerned the accounts had been compromised for the past three years.
"We don't know whether password and email information is circulating on the dark web, and available for sale on markets. We don't know how long Yahoo has known about this, and failed to tell its customers. I think it's a disaster, and really undermines confidence in the digital economy."
Mr Edwards said there needed to be mandatory reporting of data loss and security breaches, as well as organisations imposing tighter security measures.
- RNZ / BBC / Reuters