Email and internet service provider PlusNet has admitted a security breach in which spammers hacked into the company mail server to steal customer account details and spread junk mail.

PlusNet urged its customers, via a message on its website, to change their email passwords following the security breach earlier this month.

The attackers took control of the firm’s mail server and stole a list of email addresses. The hackers then used these details to send spam.

The ISP confirmed that some users may also have been exposed to a Trojan horse. But, the firm said that no financial information, such as credit and debit card details, had been snatched.

According to PlusNet, a third party was responsible for the attack, which was discovered by the company on 9 May. After the breach an undisclosed number of customers began to receive vast amounts of spam, including offers for discounted pharmaceuticals.

“After a full security audit, PlusNet’s webmail service was taken offline permanently at midday Wednesday, 16 May, as a precaution against a number of minor potential security vulnerabilities that had not been exploited,” Neil Armstrong, products director at the ISP, said in a statement.

A replacement email service has now been set up for customers to access their accounts.