"The number of email addresses potentially at risk is 130,000, which is around 15 per cent of the total Xtra email address base. Spark will be asking these customers to immediately change their passwords if they haven't already."
Spark said it had been informed by Yahoo that there was no evidence of the stolen information being used to gain unauthorised access to Spark accounts.
"To maintain a secure online profile, Spark advises all Xtra users to regularly update account settings with a strong, difficult-to-predict password. All Xtra customers who have not changed their password since 2014, or are unsure if they have, should do so now on the Spark website using is this link.
"As previously announced, we are currently in the process of preparing to move all of our email systems back home to New Zealand.
"If customers have already registered to have their email moved to SMX, they don't need to do that again. Similarly if customers have changed their password as part of the SMX registration process they won't need to do it again."
The stolen account information may have included names, email addresses, telephone numbers, dates of birth, and hashed passwords and, in some cases, encrypted or unencrypted security questions and answers.
Privacy Commissioner John Edwards said it was not yet clear when Yahoo became aware of the hack.
"We are grateful that Spark quickly alerted us about this breach and immediately began taking action to resolve it," Edwards said.
"However, the fact that Yahoo may have known about the breach for a number of months before alerting the public shows why we need mandatory breach notification.
"Every day counts in a data breach and agencies need greater incentive to take a leaf out of Spark's book by promptly telling customers that their personal information has been compromised."