Hackers gained access to the University of Otago staff email server recently and used it to send out an estimated 1.55 million spam emails in 60 hours, after tricking four staff members into revealing their login details.
The huge volume of spam mail resulted in legitimate emails being rejected or delayed by other systems, information services manager Mike Harte said.
They were re-sent once the spam attack was over.
The staff members responded to "spear phish" emails which claimed to be from the IT department and asked people to reconfirm their user names and passwords or their email access would be withdrawn.
Armed with login details, hackers could comprise an email address within "a couple of hours", using it to connect to computers outside the university and send out further phish or spam emails.
The four staff members who revealed their passwords had not been disciplined, he said.
"The information security office has a policy of having a good discussion with campus users whose accounts have been compromised . . .
"Rather than issue warnings, [we] discuss what actually happened, why it happened, what the implications are and how users can prevent anything similar happening again."
Staff were warned in April not to fall for the hoax emails, after similar emails turned up at some New Zealand universities.
That warning had now been repeated.
All staff had been told to assume any requests for their login details were "most likely fraudulent", he said.
"To prevent falling victim to these kind of scams, the key message for any computer user is that they must treat all their logins and passwords with the same care as [any other] PIN - never give it out to any other person."