Telecom updates on Xtra email crisis, Yahoo refuses to answer on key point
Telecom has updated NBR ONLINE on its ongoing Yahoo Xtra email problems.
"As of 7.30pm last night, 61,000 of the compromised accounts, had changed their passwords, out of 87,000," spokeswoman Joanne Jalfon told NBR ONLINE.
(Crisis completists will note 87,000 is a nudge up from the previous "final" tally of affected users - 80,000 of 450,000).
"The vast majority have changed their passwords online with 10,000 needing assistance on how to change their passwords on their mobile devices and tablets," Ms Jalfon says.
A key point of tension was that only 5000 heeded the initial call to change their password after the Yahoo mail server security breach, and separate phishing attack.
That meant Telecom had to summarily cancel the passwords of the remaining affected users.
Customers who had their password cancelled were issued a temporary password, but also directed to set a new password. Many headed online, leading to website overloading at times.
But around 10,000 hits the phones, leading to wait times of 90 minutes to speak to a human so they could reset their account details and regain access to their email. Those who called included customers who had forgotten the answer to the password change prompt question.
Extra staff were brought in to NZ and Manila call centres on Monday and Tuesday to deal with the deluge.
This morning, "Call wait times are returning to normal," Ms Jalfon told NBR.
"Some simply felt 'silly' at forgetting the answers to their password change questions and others who simply appreciated having someone to walk them through the process over the phone."
Other customers wrongly believe they need to change broadband provider to set up another email account such as Gmail, Ms Jalfon says.
Meanwhile, Yahoo put out a statement complaining there was a lot of (unspecified) "misinformation" being spread about the incident.
“There is a lot of misinformation around what may have caused this vulnerability in the Yahoo! email product and the type of information that may have been compromised. There is currently no evidence to support reports that access has been gained to any user information beyond the customer's email address book or that this issue is related to any issues overseas, although we continue to investigate this,” says Laura Maxwell-Hansen, GM of Yahoo New Zealand.
Drawing on discussion in the tech community, NBR put a question to Telecom and Yahoo: Are Xtra passwords encrypted into cookies on a customer's computer or tokenized at the server end and just the token stored on a Yahoo server? ("This would explain their insistence on changing the password but would certainly not be regarded as good practice," a well-placed industry insider told NBR).
Telecom referred the question onto Yahoo.
After a couple of days, a spokeswoman responded: "Yahoo does not share how email passwords are encrypted."
Presented with this response, Institute of IT Professionals NZ CEO Paul Matthews told NBR, "It's certainly reasonable for them not to disclose absolute details about methods of encryption. However, their customers do have the right to know whether they follow recognised good practice or not."
A key point of interest remains whether password were stored in cookies on customers' computers, encrypted or otherwise.
"We’re very much looking forward to Yahoo and Xtra officially outlining, in detail, exactly how a huge number of Kiwi email users’ accounts were accessed. Given the scale of the disruption, we hope this disclosure will be forthcoming soon," Mr Matthews says.