SquirrelMail was broken into in late June, at which stage its operators said they were unaware of reports that the plug-ins used on the service had been compromised.
However, the Heise Online newswire service posted a report last night that earlier reports of plug-ins being compromised were correct.
The security newswire pointed to a posting on the Squirrelmail site admitting that the code to the following plug-ins had been compromised.
sasql-3.2.0
multilogin-2.4-1.2.9
change_pass-3.0-1.4.0
The bad news is that the compromised versions of the plug-ins reportedly steal user passwords and relay them across the internet.
Perhaps worse, says Heise, there is no data on how to spot an infected version of a plug-in, nor why it took more than a month to discover the tampering.
"The announcement by the SquirrelMail project 'strongly recommends' that users of the affected plug-ins reinstall them for the sake of security" said the newswire.
SquirrelMail is a web-based email application originally developed by Nathan and Luke Ehresman.
Written in the PHP scripting language, the application can be installed on almost all web servers as long as PHP is present and the web server has access to an IMAP and SMTP server.
The programme - which is available in around 50 languages - is used by a number of companies and at least one major ISP in the UK, Infosecurity notes.
The application outputs valid HTML 4.0 for its presentation, making it compatible with a majority of current web browsers.
SquirrelMail uses a plugin architecture to accommodate additional features around the core application, and over 200 plugins are available on the SquirrelMail website.