The BBC has been criticised by security experts after it hacked into 22,000 PCs in a special investigation into the damage that can be done with a network of compromised computers.

Technology programme BBC Click obtained a botnet compromised of 22,000 hijacked PCs from an underground forum.

The show's presenter Spencer Kelly and a security expert from Prevx then demonstrated how to use these machines to send spam to two accounts it had created with Gmail and Hotmail.

The programme also launched a distributed denial of service (DDoS) attack on a backup site owned by Prevx, with permission.

But Graham Cluley of Sophos said that the experiment contravened the law and it was "clearly an unauthorised modification of computer data".

"Sending spam from someone else's computer obviously gobbles up bandwidth and will use up system resources. Even if the BBC felt the impact would be minimal - it doesn't make it right," Cluley wrote in his blog.

Other security vendors and experts, including McAfee, AVG and Kaspersky, voiced their agreement with Cluley in a discussion on microblogging site Twitter.

Dave Marcus, director of security firm McAfee Labs wrote on Twitter: "Looks like auntie Beeb and helper may have broken the computer misuse act."

Greg Day from McAfee also featured in the BBC Click programme, where he explained the nature of botnets. A McAfee spokesperson said Day was not involved in the botnet demonstration.

BBC Click made a short statement on Twitter: "We would not put out a show like this one without having taken legal advice."

BBC reported the programme has destroyed its botnet, and no longer controls any hijacked machines. The programme also warned users that their PCs are infected, and advised them on how to make their systems more secure.