Hnaraski declined to name the reseller, which is a major Melbourne IT client.
"This activist group used a very, very sophisticated spear phishing attack," Hnarakis told AP. " They sent very dubious emails to staff of one of our resellers whose area of expertise is looking after the domain names for major corporates including the New York Times."
"Unfortunately, a couple of the staff members of the reseller responded by giving their email log-in details; the group were able to search their emails for sensitive information that included the user name and password for the New York Times, and from there it all cascades," Hnarakis said.
"We don't put this down to a technical failure. We put it down to human error where someone has inadvertently provided their information and from there, a major a site like the New York Times was down for several hours," he added.
The hackers had also tried to hack into Twitter.com, but failed because that domain was protected by an optional secondary security feature offered by MelbourneIT for the past two years. Times had opted not to have the same level of security.
"If they had had the security option turned on, they wouldn't have been affected," MelbourneIT chief technology officer Bruce Tonkin said.
"We do have a security mechanism that would protect the names from this sort of attack," he added. "Naturally, we are reviewing security and doing an incident review and will probably add some additional security."
Tonkin said the hacker seemed to have also accessed the credentials of the Huffington Post domain, which is held by a UK registry.
"The hackers have just posted a screen shot to say they've logged into the (Huffington Post) account, but I'm not aware that they actually changed anything," Tonkin said.