Telecom says all of its 450,000 broadband customers have to change their Yahoo Xtra password following twin attacks on the weekend (one a phishing attack, one that compromised Yahoo's mail servers so spam was sent from the accounts of people who weren't even actively using their Xtra address).
So far, around 50,000 have changed their password, Telecom Retail CEO Chris Quin says.
Yesterday, Telecom said it had isolated 20,000 customers directly effected by the attack. All will be required to change their password next time they log on.
Explanatory emails are going out to the first 10,000 affected customers today.
Passwords can be changed here:at telecom.co.nz/changepassword.
"Yahoo has given Telecom an assurance that changing customer passwords stops malicious ‘spam’ emails being sent without the customer’s knowledge if their account has been compromised. It is also good practice to change passwords regularly,” Mr Quin says.
On Twitter, Telecom's tech support team has acknowledged the password change tool has been overloaded at times.
Those changing their passwords will include Telecom CEO Simon Moutter, who last night said spam emails had been sent from his Xtra account after he clicked on a phishing link.
The direct breach of Yahoo's mail servers in Sydney, which host Xtra mail on Telecom's behalf, mean there was the potential for people's address books had been downloaded for use in future spam attacks. And that sent and received Xtra emails had been copied. Both Telecom and Yahoo say there is no evidence that occured, but they continute to monitor the situation.