It's extraordinary that people are only finding out now about a huge breach of Yahoo data that happened in 2014, New Zealand's Privacy Commissioner says.

Photo: 123RF

Yahoo has revealed "state-sponsored" hackers stole data on about 500 million accounts, including names, email addresses, telephone numbers, dates of birth and encrypted passwords, but not credit card information.

The breach took place in 2014 but was made public only last week.

Yesterday Spark confirmed 15 percent of its 825,000 Xtra email addresses were at risk.

Privacy Commissioner John Edwards said it seemed "extraordinary" people were only finding out about it now.

Photo: Supplied

"There's been a lapse in security, there's been a lapse in the encryption and certainly a lapse in the detection after the fact and the notification of customers."

Mr Edwards said Spark seemed to have acted as soon as they knew about the breach and notified affected account users that they need to change their password, and he can't fault the way they've handled things.

"They've had trouble with Yahoo on a number of occasions and have decided to exit that service and offer their customers a New Zealand cloud-based alternative which seems to have a much better security record, so far."

It was increasingly unacceptable to hold unencrypted security questions and answers as Yahoo did.

"When you get a hack that's a personal fact about you that's compromised forever. You can change your password and login - you can't change your mother's maiden name."

Too many people were bewildered by the numbers of passwords needed and recycled them across sites and hacks such as are a reminder to take measures like using randomised passwords.

Mr Edwards said privacy authorities in other countries had issued significant fines to companies and it was timely to look at New Zealand legislation and whether the commission should have similar tools here.