Member log in

NetSafe boss warns stolen Yahoo Xtra data could be used for future attacks

UPDATE / Feb 18: First thing Monday morning, Telecom was around 50% of the way through the process of cancelling an additional 60,000 Yahoo Xtra passwords (on top of 15,000 already cancelled).

"We've been told by Yahoo this is the final batch of accounts. We can safely say that's the end of this particular issue," Telecom's general manager of customer service Trish Keith told TVNZ's Breakfast this morning.

But while Telecom has summarily cancelled thousands of passwords, thousands who have been shutout are facing a 90 minute-plus wait on the phone to reset their Yahoo Xtra details. The company says around 10% have hit the phone rather than change select a new password online. People are being told to head online first, but the website has been at times overloaded.(The cancelation process invovles a temporary password being issued, which customers are asked to update via phone or online).

Telecom has steadily upped its estimate of customers affected by the Yahoo mail server security breach, and the separate phishing attack.

Can a line be drawn under the affair, as Ms Keith hopes?

The direct mail server security breach meant phishing emails were sent to the contacts of some people who were not actively using their Xtra account, let alone clicking on a dodgy link.
Institute of IT Professionals NZ CEO told NBR ONLINE over the weekend that his members continue to investigate the possibility that Xtra address books and email were downloaded for later use by the hackers. Telecom and Yahoo acknowlege the nature of the Yahoo mail server security breach meant it was possible this had taken place. But both say there is so far no evidence it happened. Mr Matthews asks if there's any evidence it didn't.
Passwords should have been cancelled a week ago - NetSafe
Martin Cocker, CEO of the part goverment-funded watchdog NetSafe, is also concerned.

"The purpose of changing passwords now is to stop hackers being able to access the email accounts. This should have be done immediately following the breach. A lot of damage can be done in a week," Mr Cocker told NBR ONLINE this morning.

"Telecom will be able to force the change of 75000 passwords and that will re-secure the Xtra email, but that certainly won't be the last act in this saga. The stolen information will continue to be used for spam and phishing attacks," Mr Cocker says.

"Some of those phishing emails and contacts might be targeted very accurately once the cyber criminals take the time to analyse the stolen data more accurately. This is especially so if the content of emails was stolen during the breach. Yahoo and Telecom appear unable to confirm this hasn't happened - so we need to assume it has in the meantime."

It should be noted that it is not only Xtra customers who will feel the ongoing repercussions of such a large data loss, Mr Cocker says.

"Many of those people targeted (or "spear phished") will be contacts of the affected users."

Wait times up to 90 minutes
Wait times on Telecom's help lines reached an hour an a half ovr the weekend, Ms Keith said. Ninety percent of customers had changed their password online, but the balance were hitting the phones - clogging the company's NZ and Manila call centres for all-comers.

Telecom has upped its call centre staff numbers by 50% this morning in an effort to get on top of the overloading.

It would also up numbers by 50% tomorrow.

"By then we should see the back end of this problem," Ms Keith said.

The GM reiterated that Telecom is reviewing its contract with Yahoo, which hosts its Xtra email out of Sydney.

ABOVE (click screenshot to enlarge): A graphic example of the Yahoo Xtra email hack, and the way a user's mail account can be hijacked without them going anywhere near their inbox (as opposed to foolishly clicking on a malicious link to compromise themselves - although that techique is being to spread the Yahoo vulnerability). An NBR reader received the above email from the Xtra address of one Neal Nicholls. Keen readers will know the former Capital & Merchant Finance director is currently a guest of her Majesty. And, no, prisoners are not allowed email or internet access.

Telecom ups Yahoo Xtra attack estimate from 20K to 80K

Feb 16: Telecom has upped the number of people it says have been directly affected by the Yahoo Xtra mail server security breach and phishing attack from 20,000 to 75,000 - and is proactively cancelling accounts.

The company has tonight begun cancelling the current passwords of around 60,000 Yahoo Xtra email accounts it believes to have been compromised by last weekend's "cyber attack" (and close followers of the debacle will note the company has moved away from simply calling it a "phishing" attack in its latest statement).

These additional 60,000 customers, on top of the existing 15,000 that Telecom has been contacting over the past few days, will now be required to enter new password information when logging into their email account (around 5000 from the first 20,000 affected immediately reset their password).

The move by Telecom is aimed at protecting its email customers and preventing information contained within their emails being accessed although to date there is no confirmed evidence, by Yahoo!, that this has occurred.

Telecom CEO Retail Chris Quin says 60,000 of the 450,000 Yahoo Xtra customers have changed their password since last weekend but updated details on compromised accounts means the best way to protect customers is to cancel the current passwords of these additional 60,000 accounts.

“We’re taking this matter very seriously,” says Mr Quin, “and urge those whose passwords have been cancelled to create new passwords. However, it’s advisable for all others that have not changed their password, to do so immediately both on their computer but also on mobile devices and tablets. We continue to be sorry for any distress caused or inconvenience this has caused and reinforce that in today’s online world regular password changes are an important need.”

More by Chris Keall

Comments and questions

Nice one Telescum just admit that 100% of xtra / yahoo email accounts have been compromised, first you say it 20k then 50k and now 60k,

My account has not been compromised so they can't say 100% when it's not true. The fact is they are discovering more and more so they can only say when they know.

How do you KNOW your account hasn't been compromised? Just because Telecom hasn't told you doesn't mean that they haven't got into you account and downloaded messages etc....

I have already changed my password after useless Yahoo permitted hackers easy access to my account and contacts; I trust Telecom won't force me to change yet again.

I wonder if Telecom\Xtra\Yahoo will demonstrate just how sorry they are now that the horse has bolted. Giving away our email addresses, password and contacts is a breach of our contract and privacy and they should be more contrite and prepared to compensate people for any inconvenience, embarrassment, and annoyance.

I hardly think passwords were being "given away".

You don't understand the issue. Passwords weren't compromised. The attackers hijacked sessions by cross site scripting attack and manipulating the session cookies. The issue is that people's emails and contacts were then accessible by the attackers.

Well put.
Telecom Xtra and Yahoo individually or combined will fail to appreciate what has happened and I fully expect.....nothing. As usual.

How about admitting that some people just do not, or will not, configure and use their PC responsibly.
Are they too dumb or too lazy?
Reading some of the whingeing posts from the affected, I fear it is more likely the former.

Poor understanding of what happened there John... to compromise that many passwords the Yahoo server would have been hacked not 75,000 individual PCs.

But then again, you do always take every chance to be a condescending pr*ck :-)

Well put Anon.

DUH. Then why were not all xtra clients affected?
I'll tell you why, because those clients who are not intellectually challenged (all xtra clients minus about 70,000) dumped the emails as they came in.
Wasn't hard

No emails came in to be dumped. You have really mis-understood the problem here, but are freely abusive anyway. Not hard to behave like that is it?

You know, when you find yourself in a hole, sometimes it is best to stop digging John. Your ignorance of the issues is obvious and you are just making a fool of yourself. Give it up and recognise when you are out of your depth (and in this case, even that is pretty shallow)...

John - even Telecom knows more about what happened than you do.

You don't seem to know the facts of the situation - this was not caused by any user fault, but a security flaw on the Yahoo system.

Dear Telecom,
Thank you for emailing me to let me know that you'd already cancelled my password...

Now it's 75k. Come on Telecom, stop the BS.

FFS, how thick are you? Do you really think that Telecom want this issue to be ongoing, and that they'd lie about the numbers, forcing a subsequent admission and action and media coverage? The only BS is that spouting from your mouth.

Anonymous - OK Telecom first said that there were 60,000 affected now it's 75,000 - was their first figure "BS" or incompetence?

Perhaps they were being transparent and communitcating what they knew, when they knew it?

I'm glad I dumped Yahoo years ago and shifted to gmail.

Good luck to those who stick with Xtra email, your going to need it.

You are totaly incompetent. PC world identified this scam in April 2012 and Yahoo / Telecom were aware of it but you chose to sit on your hands and do nothing.

Your answer service says we should have been notified by email that you were deleting passwords and you needed to change them. How about thinking about this "HOW THE HELL ARE TO TO READ YOUR E-MAIL IF YOU HAVE DELETED MY ACCESS." If brain cells were water you would be the Sahara Desert!

I agree. Is happened to me this morning when I tried to login. Tried to use the change password facility but that repeatedly meaning I had to call the help desk.........30 minutes later password reset a second time. Time wasting service provider!

I went to log on to my email account last night and found that the password didn't work. My first thought was that I had been hacked again.
After waiting nearly two hours without success to get through to Xtra I eventually got through to someone by calling Telecom faults. Having already changed my password after last weeks debacle I found that Xtra had this time cancelled my password . Fortunately once my password was reset I was able to read the email that Telecom sent me after they had already deactivated my password!!! This is after spending half of last weekend advising clients not to click on any link that was from my email address. Great service Telecom though I expect that you will be making me an offer to compensate me for the aggravation and lost time!

Dear God. Is Yahoo mail still around?This is like back to the future.

The Yahoo service has been trashy from the start. Placing your digital mailbox with a local ISP is always a bad move. Best to stick with hotmail/gmail billion-dollar companies. Profits are based on reputation and service quality.
Most Xtra users are simply trapped in the 90s. With a failed telco.

FYI, Yahoo is not local. But agree with the sentiment.

Telecom/Yahoo cannot tell us exactly what private information was copied which is a serious concern for Xtra users. The spammers now have tens of thousands of valid email addresses which they sell to other spammers and we call expect to be spammed even more for a very long time. I realize Telecoms or yahoos spam filter will stop many it is clear the spammers are very smart to make sure they avoid the filters by trying new methods to trick the Yahoo server and it's users. Time for Yahoo to. E ditched by Telecom!

In this type of breach you simply need to consider it all breached and take the necessary steps to secure anything else that may be breached in the future.

If Telecom won't ditch Yahoo, will you ditch Telecom?

I am so glad I moved to Orcon about a year ago and have been using gmail for years. I knew that Xtra and Yahoo working together would be trouble. I just wonder how they managed this long without a disaster like this.

So were is the simple walk through that should accompany any press release like this from Telecom.
For those that use outlook or other email clients and have never gone to xtra's online mail here is a walkthrough for them.
Don't use xtra, is the recommended setting, Like the reason telecom uses Yahoo for handling your emails is purely price, yahoo is the cheapest. Telecom being the biggest email provider in NZ should look after your emails themselves. IMO.
Should Simon Moutter be embarrassed for sending phising email to people in his address book, well yes, The hole was found and published on youtube (stupid) to get someone to sort it. Aussie yahoo sorted it but not for NZ. Is that odd or incompetent.
Win Moore

It's neither odd not incompetent, it is service costs apportioned to revenue.

Can't get my emails. Won't recognise my password, or my personal information to change my passwords. It is now 11:52pm and I have been waiting over an hour to talk to someone at Telecom. This takes me back 20 years. Telecom cannot blame it all on yahoo - they are just as culpable. I will be looking for another provider as soon as I can. Thank god for gmail.

Telecom don't even have Administrator rights to unlock an account that has been locked due to passwords being cancelled without the user being notified. I now have to wait 12 hours to access a business email account.


You really need to move your business email on to something more professional. Speaking from a personal perspective, when I see a business with an @xtra (or @gmail/@yahoo/etc) email address I think it looks unprofessional.

Switching to a cloud-based provider is cheap and effective for a small business and a lot less likely to have stuff like this happen. Microsoft's Office 365 or Google Apps are both good choices. Both will work fine with you having a domain name of your own, too (i.e., instead of or

I hope you manage to get things sorted...

Maybe because Telecom isn't Yahoo?

Why anyone would use and address is beyond me.

I am one of the dumbs, as John Morrison above puts it, because I hadn't configured my emails properly. I don't confess to being email savvy, let along a guru, so when I set up an account with a provider such as Telecom then I expect to be protected. Naive, I know, but I would imagine a lot of the others are in the same boat. We are not all tech heads. Other than being an Xtra customer and having "remember me" ticked, I have done nothing wrong. Incidentally, I see they now say don't tick the "remember me" box yet when I went into Xtra in the weekend to change my password, what do I find automaticlly ticked upon making the change the "remember me" box. At least they could make this change to help their customers avoid an issue in the future.

Richard, you do not have to be a tech head. You are not one of the dumbs.
Trust yourself and only yourself and you'll be fine.
The "dumbs" I rail about are the ones that are constantly bleating to Gov. Telecom Power company for help.
Remember Richard. If it doesn't kill you, you WILL be stronger and wiser for the experience.

Reading through some of the comments above I have to say Telecom have done you a favour in freezing your accounts. I'd like to know how many people clicked on the links in the (incredibly obvious) spam they received?

Absolutely correct.. I received the spammers missive and all I can say it beggars belief that anyone would open their "link".

This is only the start - then you have to fix all your other devices and sometimes the call centre is just not up with how to do that. Took 1 hour just for this bit on my mobile as the standard procedure do not work even if you try after more than 5 times with the same person on the line and lost all my mail settings now.

Let's assume it takes 30 mins to reset your password and update your email clients. 38,000 hours of NZ lives lost to Yahoo. 18 years of full-time productivity lost. Let's pay that person $50K.

I updated my password last night after being prompted by the online instructions on - quick and painless, and took a whopping total of 2minutes. What is your 30 minutes based on?

Cancelled the password and locked the total account. No email and cant access any account information.

But wait..................Quinn and co have sent me an email to reset my password,
So how do I and 75000 others recieve the bloody email when the accounts blocked....................go figure.......

Reading all these comments and everyone blaming big businesses any chance they get. Has anyone actually thought that since Yahoo is a separate company to Telecom why blame Telecom? Most of you like to blame and blame you do you. I work at Telecom myself and seeing exactly how everyone these rallied around helping the public sort out the password resets was nothing short of amazing. You should really thank Telecom for the effort they put in to help these 75,000 customers. Well done Telecom!!!

If you slap Telecom Xtra cobranding on Yahoo, then it's only natural, and right, that Telecom customers should expect Telecom to face up to its responsibilities.

There are lots of annoyed Telecom customers right now, who are wondering why it took Yahoo the best part of a week to give the full picture on how many were affected, so Telecom is quite correct to be reviewing it partnership with Yahoo.

Yes I am not denying a review of the partnership. All I am commenting on is the total dedication of customer service that Telecom showed during this time. Its real concern for each and every customer who had issues with password resets was and is a real testament to how we work.

I spent weeks changing to professionals (Telecom) just prior to all this
What a JOKE - no password changed, long phone queues and a very pIssed off Maurice.
Penny pinching in the name of profits and not service will see me go back to previous server ASAP.