Member log in

Telecom updates on Xtra email crisis, Yahoo refuses to answer on key point

Telecom has updated NBR ONLINE on its ongoing Yahoo Xtra email problems.

"As of 7.30pm last night, 61,000 of the compromised accounts, had changed their passwords, out of 87,000," spokeswoman Joanne Jalfon told NBR ONLINE.

(Crisis completists will note 87,000 is a nudge up from the previous "final" tally of affected users - 80,000 of 450,000).

"The vast majority have changed their passwords online with 10,000 needing assistance on how to change their passwords on their mobile devices and tablets," Ms Jalfon says.

A key point of tension was that only 5000 heeded the initial call to change their password after the Yahoo mail server security breach, and separate phishing attack.

That meant Telecom had to summarily cancel the passwords of the remaining affected users.

Customers who had their password cancelled were issued a temporary password, but also directed to set a new password. Many headed online, leading to website overloading at times.

But around 10,000 hits the phones, leading to wait times of 90 minutes to speak to a human so they could reset their account details and regain access to their email. Those who called included customers who had forgotten the answer to the password change prompt question.

Extra staff were brought in to NZ and Manila call centres on Monday and Tuesday to deal with the deluge.

This morning, "Call wait times are returning to normal," Ms Jalfon told NBR.

"Some simply felt 'silly' at forgetting the answers to their password change questions and others who simply appreciated having someone to walk them through the process over the phone." 

Other customers wrongly believe they need to change broadband provider to set up another email account such as Gmail, Ms Jalfon says.

Yahoo: misinformation
Meanwhile, Yahoo put out a statement complaining there was a lot of (unspecified) "misinformation" being spread about the incident.

“There is a lot of misinformation around what may have caused this vulnerability in the Yahoo! email product and the type of information that may have been compromised. There is currently no evidence to support reports that access has been gained to any user information beyond the customer's email address book or that this issue is related to any issues overseas, although we continue to investigate this,” says Laura Maxwell-Hansen, GM of Yahoo New Zealand. 

Drawing on discussion in the tech community, NBR put a question to Telecom and Yahoo: Are Xtra passwords encrypted into cookies on a customer's computer or tokenized at the server end and just the token stored on a Yahoo server? ("This would explain their insistence on changing the password but would certainly not be regarded as good practice," a well-placed industry insider told NBR).

Telecom referred the question onto Yahoo.

After a couple of days, a spokeswoman  responded: "Yahoo does not share how email passwords are encrypted."

Presented with this response, Institute of IT Professionals NZ CEO Paul Matthews told NBR, "It's certainly reasonable for them not to disclose absolute details about methods of encryption. However, their customers do have the right to know whether they follow recognised good practice or not."

A key point of interest remains whether password were stored in cookies on customers' computers, encrypted or otherwise.

"We’re very much looking forward to Yahoo and Xtra officially outlining, in detail, exactly how a huge number of Kiwi email users’ accounts were accessed. Given the scale of the disruption, we hope this disclosure will be forthcoming soon," Mr Matthews says.

More by this author

Comments and questions

The Telecom/Yahoo association over the past few years has been one of consistantly poor performance and a buck-passing lack of acountability.

Spam messages not blocked, legitimate business email blocked, convoluted processes to get changes made and unfufilled promises of improvements.

The sooner Yahoo are dumped, the better it will be for Telecom/Xtra. At the moment Yahoo are an albatross around their necks and simply serve to further damage an already poorly regarded brand name.

Lucky I never even bothered to get an Xtra email address when I switched to Telecom.

OMG talk about selective vision and 20:20 hindsight!

I would love to know what each negative poster has ever created and brought to market before giving ANY credence whatsoever to their criticisms.

I have been with Xtra for what must be 15+ years and it (and particularly XtraMail) has been excellent, give great support, and great value.

Chris, don't you think it would be irresponsible for Yahoo! to tell you how they encrypt their passwords? So that you can print this information and give these hackers an even easier route to figure out how to get into the system? I bet you'd get the same response from Google and Microsoft...

Use Google Apps/Gmail -- much more secure and convenient.

And for your trouble Hamiltonian ... you have been scroogled!
Check it out

To be fair guys, I'm actually quite happy with the service. I work with a number of ISPsa nd they all have their issues. None are perfect or even close. And no, I don't work for Telecom or Yahoo. Just being fair and reasoned.