Telecom: 400,000 more need to change Yahoo Xtra password

Chris Quin

Telecom says all of its 450,000 broadband customers have to change their Yahoo Xtra password following twin attacks on the weekend (one a phishing attack, one that compromised Yahoo's mail servers so spam was sent from the accounts of people who weren't even actively using their Xtra address).

So far, around 50,000 have changed their password, Telecom Retail CEO Chris Quin says.

Yesterday, Telecom said it had isolated 20,000 customers directly effected by the attack. All will be required to change their password next time they log on.

Explanatory emails are going out to the first 10,000 affected customers today.

Passwords can be changed here:at

"Yahoo has given Telecom an assurance that changing customer passwords stops malicious ‘spam’ emails being sent without the customer’s knowledge if their account has been compromised.  It is also good practice to change passwords regularly,” Mr Quin says.

On Twitter, Telecom's tech support team has acknowledged the password change tool has been overloaded at times.

Those changing their passwords will include Telecom CEO Simon Moutter, who last night said spam emails had been sent from his Xtra account after he clicked on a phishing link.

The direct breach of Yahoo's mail servers in Sydney, which host Xtra mail on Telecom's behalf, mean there was the potential for people's address books had been downloaded for use in future spam attacks. And that sent and received Xtra emails had been copied. Both Telecom and Yahoo say there is no evidence that occured, but they continute to monitor the situation.

This article is tagged with the following keywords. Find out more about My Tags

Post Comment

15 Comments & Questions

Commenter icon key: Subscriber Verified

Kim Dotcoms Mega 'encrypted' email plans look all the more enticing if he gets a service up and running.
Mind you he probably has his hands full at present what with the Mega film someones making about him. The short trailer on You tube is going viral.


I have just cancelled my extra account and they made it as hard as possible. You end up talking to someone not in New Zealand and they had trouble understanding "I want to close my account".


suggest you should cancel your xtra account as well


I don't use Yahoo Xtra website much, as my emails come through to Outlook. Before this "attack" emails that came through to outlook disappeared from Yahoo. Since the attack they also stay on Yahoo, first in inbox etc and now in the Trash folder. WHY? I don't want to have to check Yahoo all the time, in order to empty it, as I have never needed to. before.
I did receive an email from a friend who did not send it, with a link which I clicked because it seemed from a friend. this was on Monday 11 Feb. I don't know if this has caused any damage to my computer or files or caused risks to me. eg should I now change my credit card???
I am angry that Telecom did not issue a news release or notify customers earlier as they KNEW of this problem on Satrurday so I believe... I am not computer savvy just use it, and this has caused me much anxiety and waste of time.
I did change password and also deleted my Yahoo contact list., but don't know if that helps.
If Telecom had notified customers as soon as it knew of this danger, a great deal of anguish and fear couod have been avoided for 1000s.


Another shambles from Telecom, arising from the inept conversion to Yahoo masterminded by Kendrick who now, god spare us, is running TVNZ. How do incompetent NZ managers keep getting recycled?


New Zealand Telecom go from one shamble to the next. We have the power to stop this. Vote with your feet.
After the XT cock-up I moved both my mobile phone, landline, email, and broadband to another provider.
It was the best thing I could ever have done.
It's saved my a lot of money but more importantly the grief, hassle and lies that you get with NZ Telecom.
Vote with your feet - when enough people leave them, their fat directors with that fat salaries and sickening bonuses might wake up and relise that they are supposed to be a service.


Instead of just changing their password.... I suggest they change their broadband provider.


It is so interesting reading Telecrap's comments, I am an affected user who has waited till today to change my password. Not once did Telecrap contact me


Mr Quinn, please explain how the hackers compromised the credentials of so many of your customers? As the previous head of Gen-I I would like to see you providing a bit more of a technical background as to the nature of the compromise. I'm more than a bit edgy that password security with your contractor (Yahoo) is substandard. Perhaps unencrypted? Plain text? or is it simply that the weak passwords were compromised? if so, how long did the intruders have unrestricted access? Trust is so important in commercial sense, Telecom has been going backwards for so long, yet has the potential to so much more. You are being judged on your performance by the customers, a simply apology will not be sufficient. Yahoo may have dropped the ball, but you are accountable to us, your customers.


Kid you not, i got a lot of emails from those in my Outlook Express address book. A right sh*tload, in fact.
Telecom wasn't being upfront by downplaying the scale of the breach, because it was huuuuuuge.


The details of this hack are already common knowledge, there isn't really a need for Telecom or Mr Quinn to explain any more. If you've heard of Google you can search and find out everything you want to know.

The attack was based around a XSS flaw with Yahoo.


You assume too much.
The vast majority of email users struggle with even a google search and XSS to them is an underwear size.
I've just spent a few hours repairing an xtra users email setup when he stuffed it all up totally by reactivating his outlook download from webmail and complained he couldn't read historical emails on other devices as his webmail is empty. Annoying as he was not a victim of this original Yahoo mess, just panicked due to media reports.


I changed my password on Monday am. On Tuesday evening another wave of spam emails was sent from my account, so changing the password did not stop further attacks.

I don't know anyone who has an xtra account that has not been affected. I suspect that the impact is significantly greater than Telecom are letting on. Day one they said a hundred or so. Now they claim 20,000. Perhaps the real number is 500,000 or maybe ALL!

They should poll that on their website instead of the rubbish they usually feature.

And not to even a mention of the incident on their so called news website, when it was headlining on nzherald and nbr, just shows how poor their journalism is.

Any suggestions as to a better ISP?


Xtra is a good ISP, they just have a terrible mail service.

Who in their right mind relies on ISP few email these days anyway when there are so many better options available, many of which are free. When you can have your own domain for email for $10 per year being tied to your ISP email address is just stupid.


Actually, Telecom charge $14 per month for a domain name, plenty more than most of the smaller customer service oriented ISPs


Post New comment or question

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.

NZ Market Snapshot


Sym Price Change
USD 0.7767 -0.0011 -0.14%
AUD 0.9523 0.0007 0.07%
EUR 0.6327 -0.0001 -0.02%
GBP 0.4959 -0.0005 -0.10%
HKD 6.0235 -0.0090 -0.15%
JPY 92.6980 0.1530 0.17%


Commodity Price Change Time
Gold Index 1198.3 8.880 2014-12-18T00:
Oil Brent 59.3 -1.910 2014-12-18T00:
Oil Nymex 54.4 -2.430 2014-12-18T00:
Silver Index 15.9 0.010 2014-12-18T00:


Symbol Open High Last %
NZX 50 5518.5 5545.0 5518.5 0.17%
NASDAQ 4712.4 4748.4 4644.3 2.24%
DAX 9901.3 9901.3 9811.1 0.44%
DJI 17367.8 17778.4 17356.9 2.43%
FTSE 6466.0 6521.7 6466.0 0.43%
HKSE 23158.3 23189.6 22832.2 1.25%
NI225 17511.0 17621.4 17210.0 2.39%