Telecom: cancelling passwords necessary

Telecom says it knew problems were likely to ensue when it began cancelling the passwords of 60,000 Xtra email accounts that were newly discovered to have been compromised by an attack on outsourced email provider Yahoo.

But spokeswoman Jo Jalfon said the move was necessary to prevent the hacked accounts sending out emails with links to malware-infected websites for "weeks".

Telecom said it was only the scale and not the nature of the crisis that deepened over the weekend.

Jalfon said Telecom was unsure whether hackers could have opened and read customers' actual emails, but Yahoo was continuing to assure Telecom it had no evidence that had happened.

Telecom began cancelling the passwords of 60,000 Xtra email accounts on Saturday night with little or no warning. That meant customers had to reprove their identity and set new passwords before being able to log back into their accounts.

Telecom's call centre was swamped as people who had forgotten answers to security questions, or had other problems changing their passwords online, called for help. Some customers reported being put on hold for hours before they could get through.

Jalfon said Telecom had redeployed about 100 staff from other parts of its call centre to help clear the backlog. People who required phone help changing their passwords and logging back into their email were now getting through within about five minutes, but customers might face delays calling Telecom about other issues, she said.

Jalfon said Telecom had forcibly cancelled the 60,000 passwords because its experience last week had shown few of the affected customers were likely to respond quickly to prompting.

She confirmed 80,000 of its 450,000 Xtra customers were now known to have had their email accounts compromised as a result of the attack.

Last week, Yahoo told Telecom that about 20,000 Xtra accounts had been compromised. About 5000 of those customers quickly changed their passwords following warnings by Telecom that were conveyed by the media and through social media sites such as Twitter.

But Jalfon said that when Telecom began emailing the remainder of those customers in batches, giving them 24 hours' notice that it would cancel their passwords, it found only 40 per cent of customers opened those emails and only half of them took any action. "It just wasn't happening fast enough."

Jalfon said about 27,000 of the 60,000 passwords it cancelled on Saturday were allocated to "idle" email accounts that had not been accessed for the previous 90 days. She presumed that was because the account holders had switched to other email services such as Gmail.

Some customers' anger was compounded this weekend as a result of a "human error" that saw Telecom forcibly cancel the passwords of 1560 accounts whose owners had already voluntarily changed their passwords. They "regrettably found themselves on our updated compromised email account list over the weekend", Jalfon said.

"The reason was identified as being that some customers had logged into their accounts with an upper case character when changing their password. These customers then didn't match the compromised list we had received from Yahoo, so our staff assumed they hadn't changed their password, and regrettably locked them again.

"The oversight was corrected shortly after it was noticed and we apologise for the inconvenience and confusion this may have caused these customers."

Institute of Information Technology Professionals chief executive Paul Matthews has said customers can minimise the risk of falling victim to cookie-capturing "cross site scripting" attacks of the kind that befell YahooXtra by logging out of their email and other accounts and re-entering their usernames and passwords to sign back in.

"Even though having to log in all the time is annoying, don't use the 'remember me' checkbox on webmail. This potentially makes your account vulnerable all the time rather than just when you're on the webmail site. It's simply not worth the risk for a little convenience."

The Dominion Post