Spark has confirmed 130,000 of its Xtra email addresses are "at risk" after the 2014 Yahoo hack that compromised up to 500 million users' accounts.
It says it's trying to get in touch with affected customers and is advising them to change their passwords immediately.
Privacy Commissioner John Edwards says he's concerned Yahoo may have known about the attacks for months before alerting its customers.
"We are grateful that Spark quickly alerted us about this breach and immediately began taking action to resolve it," he said.
"However, the fact that Yahoo may have known about the breach for a number of months before alerting the public shows why we need mandatory breach notification.
"Every day counts in a data breach and agencies need greater incentives to take a leaf out of Spark's book by promptly telling customers that their personal information has been compromised."