Spark says internet traffic volumes have returned to normal after a cyber attack that started on Friday night causing disruption to its services.
A spokesperson said a malware attack from overseas caused a huge spike in the number of messages sent out from the computer it was downloaded to, overloading the network.
To manage the problem, Spark disconnected customers who downloaded the malware on their computers.
The company said it would work with those customers to reconnect them.
Spark says the malware attack which disrupted its network could be linked to a major hacking of Apple's iCloud earlier last week for nude celebrity pictures.
Hackers broke into the Apple accounts of several celebrities, stole their nude photos, and leaked them on the internet.
Then on Friday night, a malware attack from overseas hit Spark customers in New Zealand.
Spark says some customers' computers were being taken over in the attacks and then used to attack others, causing congestion.
The company is trying to find out where the attack came from, and says it serves as a warning to customers not to click on links they are not sure of.
Some of Spark's customers had had their internet access cut off, while for others it had slowed down.
Spark's website showing problems with its network on Saturday night. Photo: RNZ / Kim Baker Wilson
The spokesperson said the attacks have increased in frequency over the last few weeks, but it is a problem telecommunications companies are constantly dealing with.
Meanwhile, a lobby group for internet and phone users said there were unanswered questions about why Spark was the only provider affected.
The acting chief executive of the Telecommunications Users Association, Chris O'Connell, called it an extraordinary situation.
"Why would malware only affect Spark customers? Just on probability you would expect that say half as many infected computers would be turning up on the Vodafone network because that's their equivalent market share.
"I haven't heard of any other networks running into this problem so it could be bad luck or it could be there is some technical adjustment within their network."
Mr O'Connell said it was like finding a needle in a haystack because the company has over 600,000 customers and it needs to get affected computers off its network.
"From talking to them they're basically saying they now have so much fibre in their system that it can be swamped with traffic, because it now moves traffic so fast."
However he said Spark initially ran into problems communicating with its customers.
"I've seen this happen on other occasions where the obvious way of communicating with their customers doesn't work because the network's down.
"It just shows the problems that these modern companies with large outsourced call centres and other things have - when something goes wrong people want a dedicated hands-on and local response."
Spark scrambled to find a fix
Spark's chief operating officer, David Havercroft, said on Saturday the attacks were not damaging its network, but the problem was the congestion they were causing.
"It's basically getting hold of a customer's broadband connection and their machine and using that to reflect on a massive amount of traffic. They're targetting customers who are predominantly fibre customers so we've got 30 times the bandwidth and speed that a traditional broadband customer would have."
Spark has been able to tell the attacks are coming from overseas IP (Internet Protocol) addresses, and traffic is then being sent from its customers' computers to Slovakia.
Spark's headquarters in Auckland Photo: RNZ / Kim Baker Wilson
"They tend to happen very regularly from around the world. What is slightly different about this one is the scale of it and the fact that it has been causing so much congestion.
"I'm afraid what we do see in this game is that we make a change and whoever's trying to put through the malware is watching the implications and trying to also adjust their attack."
IT specialist Daniel Ayers said the company was having to find each customer that was affected and stop the extra traffic coming from their computer.
What is happening
- Spark customer computers are attacked from overseas
- Their computers are used as proxies to send data offshore again
- The data is being sent to Slovakia but it is likely it ends up somewhere else
- Other Spark customers have their services slowed or lost because of congestion
- Spark has put in new equipment and defence software and staff are monitoring
Read more
Spark's Twitter account @SparkNZ
