An internal investigation into complaints about spam revealed that the lists were compromised in March, SparkList COO Steven Brown said in an e-mail to clients on Tuesday.
"This incident does not appear to be a technical, widespread compromise of SparkList servers, due to the fact that most lists were not compromised," Brown said.
SparkList, which was acquired by Lyris Technologies in August, said it suspected former employees were responsible for the theft of addresses because only a small portion of the database was compromised. "An outside entity would not limit itself to a small subset of the addresses available," Brown said.
After the acquisition, Lyris hired only three of SparkList's 20 to 25 employees, Brown had said previously.
SparkList said the organization sending the spam was a "well-known spammer" and that it was exploring its legal options in relation to anti-spam laws. It also said it was assisting law enforcement officials in the investigation.
The company hired Word to the Wise, an outside consulting firm, to investigate the matter after current and former Lyris customers last week that recipients of their e-mail newsletters have been receiving spam.
SparkList executives were not immediately available for comment.
Security vulnerabilities on the Web are not a new thing. A hack at Amazon.com-owned Bibliofind last year nearly 100,000 customer records, including credit card numbers. A security breach at Egghead temporarily the records of 3.7 million of its customer records in late 2000.
Spam, or unsolicited e-mail, has been overwhelming the servers and in-boxes of many Net users, forcing some companies and organizations to take measures to block it. In August, Yahoo found its stores site by Mail Abuse Prevention System, an organization whose lists of suspected spammers are used by other companies to block Web or e-mail access.