A Department of Labour administrator's password has been guessed, allowing a hacker to breach the website and access an email subscription list.
Nearly 3000 emails were sent to unsuspecting members of the public infected with a trojan horse virus, which allows information such as credit card details to be recorded and sent back to the hacker, the Dominion Post reported.
"Basically, someone deliberately trying to enter the website got lucky," acting corporate deputy secretary Raewyn Pointon said.
Andy Prow, managing director of Wellington firm Aura Software Security, said it was extremely difficult to guess a good password without a "brute force" attack that used special software to bombard a website with random attempts till one worked.
The Labour Department did not believe such software was used in this case.
"For a password to be guessed, it would normally suggest a weak password policy," Mr Prow said.
Ms Pointon said the guessed password had since been "significantly changed" but no other major changes would be made to the security of the department's website.
Many anti-virus programs did not recognise this type of virus, which could only infect a computer if the recipient clicked on a link in the email.
The department spent yesterday contacting the recipients to apologise.
- NZPA
Labour Department website hacked, virus sent to thousands
AdvertisementAdvertise with NZME.
