"Please check that your credit card is valid," the message read. "... note that your account may be suspended if it reaches a negative balance before your next successful top up."
A Kerikeri woman said she was "extremely concerned" about her personal email address being exposed to hundreds of other people.
"There's some unscrupulous marketing people out there who will on-sell your email and contact details - who knows who on Earth now has my email. It's very alarming," she said.
"The email also identified all of us as having insufficient funds on our credit cards and that's tainted us. Now we've all been tainted because of this."
The woman, who did not want to be named, said she wanted a proper apology from the agency about the "breach in privacy".
What made it worse was the agency repeating its error when trying to recall the original email, she said.
Assistant Privacy Commissioner Katrine Evans said it was an easy error to make, but it could have consequences.
"Lists of email addresses can be a treasure trove for spammers and scammers," Ms Evans said.
Often a simple apology would be enough - but if people had suffered harm by the disclosure of information, the organisation should consider whether some other kind of help was necessary, she said.
Another recipient, Lucinda Haworth, said she had been shocked to see the "huge" list of email addresses.
"Maybe an A4 page and a half of names," she said. "You don't want all that out there."
Junk mail would be the immediate worry, she said.
"Luckily, there's no credit card information on there. But now it's getting so easy to hack into accounts and find out more about people."
The blunder showed poor standards at the authority, she said.
Some recipients discussed the breach on Twitter, while others replied to the agency using the email list.
"Does anyone else find it unacceptable being sent each other's email address by a government department? I'm guessing you all haven't topped up either but did you really want to know about me?" said one.
Jayson Bryant was another affected customer, and wrote on Twitter that it was "third world service".
He said the apology email he had received included 500 other recipients.
NZTA put the addresses in the "carbon copy" (CC) field instead of the "blind carbon copy" (BCC) field, where they would have been invisible to other recipients.
NZTA spokesman Andy Knackstedt said in a statement: "I can confirm that the email was mistakenly sent with customers' email addresses in the 'CC' field. The number of customers affected was 996. The NZTA has apologised."