Thousands of Spark customers have been warned their account details were up for sale on the dark web.
But the telco is adamant there has been no breach of its systems, and did the right thing by getting in touch with customers before it was too late.
Spark sent an email to affected customers earlier this week, telling them suspicious activity had occurred on their accounts.
"The parties involved may have been able to view information in your account such as your name, Spark phone number(s), billing history, calling information and data usage information," it read.
Spark reset the passwords on the accounts to put a halt to the crooks.
The dark web, only accessible using specialised software and invisible to search engines like Google, is home to sites that trade in illegal goods, such as account passwords, drugs, weapons and hacking tools.
Of Spark's 1.7 million customer accounts, 21,000 had been potentially compromised. Customers who had their details stolen had used the same password on their Spark account as another website, so when hackers got hold of their details from that other site, they were able to get into their Spark account.
- Spark charged with misleading and overcharging customers
- Spark praised for replies to pride ad haters
Spark told Newshub its security team regularly scours the dark corners of the internet to keep an eye out for things like this.
"This is good community citizenship on our behalf to take steps to make sure our customers have safe credentials," spokeswoman Ellie Cross said.
"If you're reusing your username and password across multiple sites, you're completely vulnerable."
Fewer than 50 of the 21,000 customers had hackers actively inside their accounts, Spark said.
"No actions were taken that would cause the customer any financial loss," said Ms Cross.