Member log in

Telecom to review its Xtra email service; Quin hints Yahoo could be dumped

UPDATE / Feb 12, 2.15pm: Telecom says it will review its email service to its broadband customers "following a series of issues which have impacted negatively on the Yahoo Xtra service over the past year."

The reveiw will take place over the next two months.

“We share the frustration that our customers have been experiencing over recent months. We fully appreciate that repeatedly saying ‘sorry’ doesn’t cut it anymore. We are committed to taking a close, hard look at the best way to meet our customers’ email needs,” Telecom Retail CEO Chris Quin says.

The review will be carried out in consultation with Yahoo.

“When Telecom outsourced the Xtra email service to Yahoo in 2007, it was the right thing to do at the time in terms of meeting our customers’ desire for an ongoing email service associated with their Telecom broadband account," the Telecom Retail boss says.

"However, the global email environment has changed markedly since then and we believe the time is right for a comprehensive review of our approach in this area.”

Mr Quin's language is diplomatic. But the bottom line is clearly that Yahoo could be dumped. 

On this point, a rep for Mr Quin offered the gnomic: "The review will be comprehensive and cover all options as to what email services will be provided by Telecom to its customers and how those services might be provided."

Telecom owned 49% of YahooXtra at the time of the company's (rocky) switch to Yahoo email hosting in 1997 (a shift that took place soon after Telecom divorced itself from MSN, run by one-time Telecom shareholder Microsoft). The balance of YahooXtra was owned by Yahoo's Australian subsidiary, Yahoo7. Telecom sold its YahooXtra stake to Yahoo7 in 2011.

Alternatives are out there. Before its retail business was sold, Telecom's Australian subsidiary AAPT offered its customers Google Apps, which includes Gmail.

Beyond the problems of the past few days, Telecom customers have suffered multiple problems with the Yahoo Sydney-hosted Xtra email service - including a series of foul-ups in May and June last year. More recently, a problem with a cut submarine cable let to more email sending delays, and sniping between Telecom and Yahoo's bandwidth manager over who was to blame for a delay getting the news to customers.

LATEST - Yahoo NZ: Sorry

UPDATE / Feb 12: Telecom says ome customers are having trouble resetting their Xtra password due to overloading (password can be changed at 

PC World has reported instances of PCs crashing when people use Telecom's password change tool, possibly because of a conflict with Symantec's Norton security software.

Telecom is investigating the issue.

UPDATE / Feb 11, 3pm: Telecom has finally conceded that problems with its Yahoo Xtra mail system are worse than it first said.

Previously the telco said mass spamming problems over the weekend, and into today, were caused by a phishing attack - or an attempt to use lure people into giving up logon and other personal details by sending them an email that looks like it's from a real organisation. People who were taken in had spam sent from their Xtra address to all their contacts.

This afternoon, Telecom said its investigations had led it to believe there was a second, related attack that compromised mail servers at Yahoo (which hosts Xtra mail from Sydney).

That ups the ante, says Institute of IT Professionals CEO Paul Matthews.

Reiterating points he first made to NBR yesterday, Mr Matthews explains the attack on Yahoo itself meant it wasn't just a case of everyone in a user's address book getting spammed, as in a common-or-garden phising attack (typically triggered by a user foolishly clicking on a malicious link in a fake email).

Rather, email accounts had been hijacked on Yahoo's mail server, and directly accessed peoples' Xtra mail. It also meant the attackers had potentially downloaded users' address books to target later. Or even their sent and received Xtra email.

"Yes it's a possibility but we’ve had no evidence that this has occurred," Telecom spokeswoman Joanne Jalfron told NBR ONLINE this afternoon. Telecom Retail CEO Chris Quin later added, "There is no proof, yet, but obviously it’s a concern and we’re working with Yahoo on that."

Telecom believes only an unspecified "small percentage" of its customers were affected.

The company says the Yahoo vulnerability has now been fixed. Affected customers are still advised to change their Xtra password at

But given that address books and sent and received Xtra emails may have already been, you could say the horse has already bolted.

Telecom's email partnership with Yahoo has brought several rounds of tears since its disastrous launch in 2007 (under then consumer division head Kevin Kenrick, recently appointed TVNZ CEO).

Some will be wondering whether it will be on new CEO Simon Moutter's hit-list when he unveils his strategic plan shortly.

ABOVE (click screenshot to enlarge): A gold example of the Yahoo Xtra email hack, and the way a user's mail account can be hijacked without them going anywhere near their inbox (as opposed to foolishly clicking on a malicious link to compromise themselves - although that techique is being to spread the Yahoo vulnerability). An NBR reader received the above email from the Xtra address of one Neal Nicholls. Keen readers will know the former Capital & Merchant Finance director is currently a guest of her Majesty. And, no, prisoners are not allowed email or internet access.

UPDATE / Feb 11, 2pm:  Xtra's latest round of email problems are far worse than the common-or-garden "phishing" attack described by Telecom, a leading IT expert says. 

Institute of IT Professionals CEO Paul Matthews says it is clear Yahoo's own security has been breached, resulting in a flood of spam messages over the weekend and continuing today.

"Phishing" attacks on Xtra and all email systems are common. Hackers send fake emails to thousands of addresses, hoping respondants will click on a malicious link.

"The institute has been notified by a number of members that Yahoo appears to have been the subject of a major cross-site scripting (XSS) attack in recent weeks which now appears to have been mutated to Xtra email over the weekend. Xtra mail is outsourced to Yahoo and a large number of Xtra customers appear to be affected," Mr Matthews says, elaborating on his comment after NBR ONLINE's initial story. 

"The root issue was caused by a vulnerability on Yahoo’s network and the phishing is a side-issue," he says.

"Basically, it was being spread via an email getting people to click a link to a fake site. The email appeared to come from someone they knew, as they were in the sender’s address book, with a note saying 'take a look at this' or something similar.

"The link took them to a site that appeared to be a news story but in the background, exploited the Yahoo vulnerability to gain access to their Yahoo mailbox.

"Once it had control of the account it then appears to have sent itself to everyone in the victim’s address book.

"However, it’s quite possible they also downloaded the address book of every affected user and possibly all of their historic sent and received Xtra email, so things could get far, far worse, depending on what they decide to do with that if they have."

Disturbingly, Mr Matthews says Yahoo seems to have known about the vulnerability for some time.

"The fact that there was an XSS vulnerability at Yahoo has been known since at least November, when a hacker attempted to sell details of the vulnerability," the institute head says, citing a January report from security company BitDefender after a similar attack in Australia last month.

"So assuming this is the cause of the attack, it would appear to be due to a vulnerability at Yahoo and very difficult for users to avoid. This is a major attack and appears unrelated to any of the standard 'from Xtra account services' phishing emails which are regularly circulated."

A Telecom spokeswoman told NBR the company is seeking a further update from Yahoo.

NBR is also seeking comment from Yahoo.

UPDATE / Feb 11 2pm: Telecom is unsure how many customers had their email accounts compromised by a "phishing" message that slipped through the security screens of webmail partner Yahoo.

Those who clicked on the phishing email had their account hijacked by spammers, who used it to spray spam messages to the victim's contacts.

"Telecom has no way of knowing exactly how many customers were affected as many customers will have simply deleted suspicious emails but we had around 150 customer calls from those that had opened the email," spokeswoman Joanne Jalfon told NBR.

Ms Jalfon says the problem hit around 4pm Saturday. It was fixed Sunday morning, but some of those who got hit before the fix are still having problems. This morning, social networks were rife with people complaining they were still receiving junk messages from Yahoo users.

Yahoo Xtra customers who are still sending spam emails to their contacts should change their password.

"If any customers are experiencing on-going issues, we ask that they contact Telecom's Broadband Helpdesk on 0800 225 598," Ms Jalfon says.

The problem hit all local users of Yahoo's webmail, and by extension uses of Telecom's Xtra mail, which is hosted by Yahoo in Sydney.

Sun Feb 10: Telecom says a problem with Yahoo's mail service meant some customers receiving "phishing emails" - scam messages that would usually be blocked in most instances.

The problem was widespread with Yahoo and, by extension, those who use Telecom's Xtra web mail service, which is hosted by Yahoo's Sydney operation).

Phishing messages seek to fool a person into providing details such as their logon or password to a bank, usually by sending an email that apes a genuine message (typically, banks and others do not ask for personal details by email).

Some Telecom customers using Xtra mail have also noticed bounced emails, or strange messages sent to their contacts - a sign their account has been hijacked by spammers. 

Telecom remains all affected customers reset their Xtra email password, which can be done via

Yahoo fixed the problem this morning, Telecom says.

However, emails received before this morning should be treated with suspicion. 

And hijacked users who have yet to change their password are still sending spam email to their contacts.

"If you have received any of these emails, we recommend that you delete these without opening them and under no circumstances should you reply to these emails with any log on, password or personal information," Telecom says.

More by Chris Keall

Comments and questions

I am calling bullish*t on the above from Telecom. There would appear to be a security compromise of their systems which caused the spam messages to be sent to non-Xtra clients like myself.

Front up Telecom.

[A number of these comments were made on Sunday, or otherswise before Telecom's Monday afternoon update - CK]

The cause of the issues has been (finally!!) fixed by Yahoo now, after going on for up to a month. Xtra outsources their email to Yahoo and the vulnerability only appears to have mutated to Xtra in the last few days.

It was caused by a XSS vulnerability in an instance of Wordpress on Yahoo's site that went unpatched for at least 9 months. Very slack indeed.

Details here:

However given that whoever set this up now has the contact list of potentially millions of accounts, I suspect the spam emails, purporting to come from affected accounts, will continue for some time yet (if not indefinitely).

Moral of the story? Be very, very careful who you use for email. There are good options and not-so-good options.

Actually it's possible this is a different one - I see the one referred to above was apparently fixed a few days ago. If not that specific vulnerability it appears to be pretty similar.

I just got a email 3PM to my Gmail from the person I live with but they were on the couch watching TV and not even on the PC, Nice one Telecom NZ " You Suck " anything to out source

Telecom New Zealand do not take security seriously! Pay peanuts get monkeys! Best thing anyone could do is change provider which I did to a provider that has Call centre based in New Zealand and not in some 3rd world country! Vodafone NZ have treated me well

Actually, 2/3 of telecom's call centre staff are located in NZ, and the small percentage that arent are a heck of a lot more well mannered than most NZ call centres. Vodafones call centre is actually not in NZ.

I thought Vodafone brought their call centre back here?

They did have some in Egypt but brought it all back home for more control.

Vodafone's call centre is in NZ.

This issue isn't fixed at all, at per Telecom's Facebook we brought this to there attention last night. Still this afternoon we're noticing SPAM emails coming through our network.

This is a network compromise which looks to have obtained large amounts of passwords and seem to spamming addresses that are in the users Webmail.

A notification should have been sent to all users to urgently update all and email addresses.

who the hell are you trying to fool Telecom? emails hacked, still are, phishing emails STILL getting sent. Fixed my @$$

Suspect xtra's system is seriously compromised.

Have received an email this evening. Here is the first line in the header.
Received: from [] by via HTTP; Sun, 10 Feb 2013 20:13:11 NZDT

The reverse IP address
I doubt that the purported sender is sending emails from a PC in India!!

The link in the email redirected to a work from home site that Firefox reported as a web forgery.

I recommend that ALL xtra customers immediately change their password.

Xtra should consider blocking all accounts, and only unblocking after a password change.

Someone has gained access to my small Telecom/Yahoo webmail contacts list and is having a right old time spamming these contacts and my account. It appears my normal contacts list on my own computer have not been compromised. My computer checks out virus free so they have done this by getting the email password or otherwise accessing the contacts list via the Yahoo website, or in some other way.
How can Telecom say the problem is fixed when someone has the contacts list - who should not have it?

My Xtra account was hijacked also. I did not click on any spam link. The phishing explanation is bs - their system has been hacked.

Xtra and Yahoo are trying to down-play the enormity of this mess. The spams that have been sent out from my account have in some cases been sent to people I have made one-off contact with and never bothered to put in my contact list; the addresses are therefore being sourced from existing emails, a major breach of privacy.
I am so anal about security I won't touch any social network sites let alone any links!
And I always buy maximum security.
Come clean, Yahoo, stop treating your clients like a bunch of inept geriatrics.

Xtra have sent people emails to my contacts Im not happy

Xtra spam is still coming thick and fast from people I know who use xtra. By god I'm glad I got out of xtra years ago. Typical of Telecom NZ - greedy profiteering and NO customer focus.

Seems to me that the spam has not only gone to addresses on my yahoo contacts list but to any address that I've ever sent an email to dating back for at least 5 years! That is one well and truly compromised system...

Thanks Telecom. l am also getting spam emails from my wife's xtra email account. Good work yet again. You guys rock.! Please don't say something is fixed when it clearly is not. Just fix it, thanks.

I also got bounces to emails that I hadn't used in years. And people I know received emails from an old email I haven't used in months.
And if it is "fixed" then why are the emails still coming through.
Have been a loyal Telecom customer for years, but will now be changing.

Bah humbug... they say it's fixed, load of cobblers. Am still receiving these emails from xtra customers this morning.

Thanks Xtra, this is a huge bulls up. Nothing has been fixed I got up this morning to a new wave of unwanted emails from my customers and my mother. Change the password you say. Would help if the system was not overloaded! My question to you is: have you emailed your customers and apologised and given them advice on what they can do to make themselves safe?

how can they email us when they have blocked our xtra accounts? So frustrating!

I'm still getting them at 8am this morning (11/2/13). Fixed, my ar**e.

Had heaps of junk mail - 37 in all when i logged into email account this morning. Have changed my password so maybe that might help. This is the 1st major problem I have had and have been with Telecom for years. If it happens again I will change.

We noticed on Friday the our outbound xtra mail was being stopped as spam by recipients.
Investigation revealed xtra (not us) was on 4 spam blacklists and that is why our mail was being marked spam and blocked.
This morning we are still having problems sending even to each other in the office. Emails are being held up or lost somehow.
All our emails use xtra to send and third party to receive. We can send and receive by other means so it seems to be just xtra we are having problems with.

I wonder if Telecom have shares in the Work From Home spam sh*t I have been receiving from xtra account holders. I wonder if "xtra" is short for "xtra spam?"

Given that Telecom generally don't know when problems start, and generally aren't sure how to fix matters, it seems likely that they don't know if or whether they have been resolved.

Telecom's explanation is a lie. Accounts were compromised without the customers clicking on any phishing emails. I got spam from the accounts of at least 2 xtra customers who haven't opened any emails for weeks. One of them has been dead for over a month.

Why blame Telecom when Yahoo is the issue?

Why partner with Yahoo when they can't provide email security for your customers? Of course, we blame Telecom.

Still no apology email from XTRA.

This is very embarrassing. I have had to mass apologise to all in my address book for something I did not do!

It's the final straw for me!

Boo hoo Terry, get a grip!!

I received 2x just this morning!

I personally cannot believe a word Telecom/Xtra/Yahoo says about this incident. I received 8 separate emails this morning to my work address, relayed from 5 different clients between 17.55 Saturday afternoon and 04.29 today. Thankfully, there have been none more recently.

It's far from fixed. Still sending emails to and from my contacts this morning. Have changed password 3 times in the past 48 hours.

Woke this morning to find all my contacts had been spammed by Xtra - while I was asleep! Most of my customers were affected and have now blocked my emails - makes it easy to work, NOT. Also great fun trying to get through to the help line - gave up after 20 minutes waiting. Time to tell them to stick their email service where the sun don't shine!

You should get a real email address if your a business cup cake

This has been going on for a lot longer than they want to admit.

I have been receiving spam messages for at least a month now from spoofed email addresses from my Yahoo address book.

I am certain the problem is Yahoo.
Xtra/Telecom need to shoulder the blame for giving its customers a downgraded Yahoo service rather than the Yahoo advertising free 'promail', as was the original service.
I have evidence a couple of years ago that my xtra password ended up with fraudsters in Europe. I mistakenly gave the Telecom helpdesk in the Phillipines my password on request while trying to sort out a slow broadband issue. My stupid mistake as two weeks later an email I purposely planted a lot earlier as bait with a trapdoor activated and I was notified someone was reading my mailbox from IPs in London and Ireland. No damage done but it proved to me that Telecom/Yahoo cant be entirely trusted. Be careful out there, folks!

I'm an xtra customer. I returned home after a weekend away to find lots of returned emails from email addresses I have used but not on my email list. I immediately thought, "Oh no, I have a virus". My computer checked clean. I have been very careful and am sure I have not gone to any links in emails I get.

I rang Telecom Broadband help desk very late Sunday night. There was an automated message saying there was a problem but it was fixed. I waited to speak to a real person. I asked what was being done to go to addresses sent emails to warn them or any public warnings. I was told that it was going to be on TV.

I accept Yahoo is the likely villain here. However, Telecom should be much more communicative about this problem and more honest about its cause and its rectification.

This is a really serious issue being hidden here.

Ha, ha. Nice try, Telecom. It may not be your fault but attempting to deflect it the whole way through makes it look even worse. First, it's because people clicked on dodgy sites, then it's that you may have a breach but you "believed it was a small percentage of its approximately 500,000-strong customer base". Riiiiight. I've had my Yahoo email account for 10+ years. Never had anything happen prior to this. The woman who sits next to me had hers hacked too. Me thinks it's a few more people than a "small percentage..."

Wake up nation! I'm a seasoned network, web and database software developer with many years under my belt. I do web security consulting from time to time.

THIS IS NOT A PHISHING ATTACK. Although if I was in their shoes, I'd be trying to downplay it, too.

I took some time to analyse all the evidence I had and:

IT Professionals CEO Paul Matthews is 100% correct that the servers got hacked, because:
- Spam was sent to everyone in the sent and received folders. So not just the address book. Everyone that has ever sent me an email got spammed.
- As others have mentioned, even accounts that weren't used in a year or two were broken into. So how can that be caused by phishing?

Phishing means that you get duped into manually entering your credentials into a fake login form. Ok, you can ignore our claims that we're not so gullible, but what about accounts that were accessed in a long-long time?!

Stop with the BS, seriously. The phishing tale is an insult to all Yahoo/Xtra users because that would imply that we're all naive cretins who fall for phishing scams en-masse, even those of us with advanced industry knowledge.

I have 2 or 3 email addresses linked to the main mail account.
spam emails sent only from the main default acount and NOT from sub accounts.
which means access to address book only?

You're talking about something different entirely.

Please read carefully. Anyone whose mail messages resided in your sent folder or inbox was included in the spam list. In other words - their email addresses were extracted from your inbox and sent folder and used to send spam e-mail.

Why are people arguing with this is beyond comprehension. I've got the proof right here, in my mail account. Want screenshots?!

Can anyone explain why this only occured on my default account and not sub accounts ( in old xtra days you could get separate mailboxes all pointing to the same default address.

The 2 email adresses in the same inbox folder of default account did not get any spam.

From what I've seen in the emails I've seen I'd say it's unlikely that the attackers cared about the contents of the email accounts. Seems like they've simply compromised the passwords of many accounts and then logged in to the webmail and sent emails directly from there to contacts in the webmail address book.

It's possible (or likely even) that they'd have downloaded email address to add to future spam lists, but I'd assume it's unlikely they'd go to the effort of actually downloading email from the accounts.

Presumably the only reasonable way to stop the attacks, if we assume potentially all logins are compromised, would be to change all passwords (assuming attackers no longer have access to user database).

Dylan, you're wrong. I had 3 Yahoo accounts hacked yesterday. One that I don't use on a regular basis.

In all of them I have only 2-3 e-mails in my address book. They sent spam to everyone that's ever contacted me and that I ever sent messages to. They used addresses from the inbox and the sent folders. The number of people that got spammed totaled close to a hundred - that's with only two-three addresses in my contacts list.

They scanned the e-mails. With a bot.

There is a default (already ticked) setting in Xtra Webmail,
options-> mail options -> sending messages -> Automatically add new recipients to Contacts.

It's the contacts stored on webmail. Not that this makes any real difference on how the distribution lists were obtained.

The potential impact is to future emails sent from the xtra mail user's mailbox. These may not be delivered or directed to the spam folder as friends and business associates have already reported the individual's messages as spam to their mail provider. If you don't get a response, on an important message, follow up with a call.

That's a neat feature no doubt. Except mine has never been enabled. My contacts list is empty. BUT anyone who's ever written to me or got an e-mail from me was spammed. That means that even one-off mail recipients were targeted.

How many times do I have to repeat this. ALL mail was scanned. I'm NOT making this up. Is that so hard to grasp?

The answer is to have your own domain name on an independent server. It might cost a little more, but you can avoid this nonsense. The only spam I get is from my daughter in law's Yahoo! email account in Europe, which requires her to change her password often, after I let her know her address book has been hacked. I was thinking of investing in Telecom after the separation from Chorus, but not now, unless they take back control of their ISP email service and look after their customers. MSN was a joke and Yahoo! is an even bigger joke.

Is Telecom going to bother emailing their customers? Or do they think we all read and watch the news. This is Telecom again showing us that their PR is more important than their customers. They should never have done this deal with Yahoo and worse will occur next time.

Just tried to change my password. System advised me that password change was not currently available, try again later. What a joke.

So glad I didn't choose to use my Xtra email address when I started my own small business this year! Even without these security issues Yahoo Xtra is a pretty cr*ppy service. Orcon's is a bit better and seems to be far more secure, which is ironic given they're smaller than Telecom. Step it up, Telecom - you're meant to be a leading NZ company. Act like one!

There seems to be a lot of NBR readers here that are stupid? lazy! IT ignorant? or born whiners?
Reading these posts, I believe most, if not all the above adjectives, may well apply!

Im concerned my email is still compromised. I have changed my password yet im still getting returned unknown receiver messages. I wish Telecom would not try and hide and ignore this. My reputation and credibility is at stake here and as far as I can ascertain I have done nothing wrong at my end.

You, not Telecom, have allowed a phisher into your computer's address list. DOH!! May I suggest YOU fix it? Okay?

Dont be a dick, John. Telecom have already been forced to admit that it was their servers that were hacked, not individual accounts. Nice try as a Telecom apologist, but you are a bit late. The truth is already out there! "Xtra" now stands for "Xtra spam".

When an email is sent, the sending server will try to deliver at regular intervals (commonly 5, 15, 30 minutes, then 1, 2, 4 and 18 hours). Only then will they return with a "fail" message. What you'll find is that even after you've changed your password some older emails won't have reached that 24 (or so) hours of retrying yet so you can expect a few more before they're all done.

still no email received by me from either Telecom or Yahoo

I do not think this attack on Yahoo's servers is new. In mid-December I received an almost identical message purporting to be from a US friend via his email account at
Have other ISPs experienced similar hacks and dealt with them? If so, what a sad indictment for Yahoo/Telecom that it doesn't keep up with what is going on elsewhere and take remedial action to avert these problems.

Second World country IT.

I'd trust Kim Dotcom to get this sorted. But Telecom? hmmm not so sure.

This problem has been going on for months and months - we seem to being using the delete button every day and every time we check for incoming emails (like most people we never click the link and just hit the delete button). We try to remain loyal as Windows Live email does work well and has a good calender - but patience is wearing thin.

As off today my yahoo upgrade has created a virus in my address book.
It is now sending email out to all saying I am in Dubai and need financial help urgently to get out of the country.
All day I have had emails, phone call and text messages from friends or anyone in my AB to see if I really need help or where am I.
The email as my EMAIL address plus my first name at the bottom requesting for help.
I am not the only one.
Chris Quin "saying sorry does not cut it any more.
I have no emails on my server all cleaned out. I have some projects - closing for tender and some orders to place plus orders to receive.
My computer needs a IT person to clean the virus in my address book (AB). Who is paying for all this costs. HELP me Telecom - Yahoo is the worst thing that Telecom could ever do for email system.

What I would like is for Telecom to give us some clarity on what the Xtra Spam is likely to be doing damage wise to the compromised computers/accounts. It seems no one wants to be explaining the likely 'damage' that it is doing. We seem to be avoiding talking about this bit of detail, which many people I beleive want to know.

Am very angry. The bank phoned me yesterday to tell me someone in Australia was trying to withdraw money from my account and it could only have come from my Yahoo xtra email box. I pay for this yahoo mail box. For what? I have 2 other yahoo email accounts in the UK and US. These are free. Why is that? As soon as I can I will rid myself of Yahoo NZ and xtra. Bye Bye Telecom. Enough is enough

Oh bulls**t, the only way your bank details could have been compromised is if YOU were stupid enough to enter credit card details into a website. None of the email issues reported here have anything to do with credit card details, so you only have your lack of intellect and stupidity to blame for this one mate.

A "review" by Telecom? I'd rather hear what a telecommunication CEO has to say.