YahooXtra users face hacking spam nightmare

18:07, Feb 11 2013

Telecom has acknowledged that its YahooXtra email service had been compromised by hackers - after it initially blamed customers for the massive spam invasion.

Hundreds of thousands of emails - blank apart from a generic greeting and a link to a website asking for personal details, including credit card numbers - could possibly have been sent from YahooXtra accounts to anyone in the users' contacts lists.

Clicking on the link gives hackers access to the recipient's contacts, meaning the scam has the potential to affect all 450,000 YahooXtra users.

Internet safety organisation Netsafe said it looked "like the single biggest email takeover event that we have seen".

The number of malicious emails would be getting "exponentially bigger" throughout yesterday as people unknowingly clicked on the links.

Telecom initially said gullible customers must have fallen victim to the "phishing" scam after clicking on suspicious links.


But Institute of Information Technology Professionals chief executive Paul Matthews said it was not a user-generated problem, and that YahooXtra's own security had been breached.

Telecom then "double-checked" with Yahoo and admitted the mail service itself had been compromised in "two separate but potentially related malicious attacks" over the past few days.

Telecom spokeswoman Jo Jalfon confirmed the rogue emails could have been sent out without any involvement from account holders. The vulnerability had been addressed, she said, but Telecom advised all customers to change their email passwords.

Netsafe director Martin Cocker said clicking on a link in a malicious email could result in malware being downloaded to the user's web browser. Hackers could then use that to monitor computer use, potentially allowing them to steal bank and credit card details.

He advised anyone with concerns to visit Netsafe's website for information on how to scan their computer.

Ms Jalfon said Telecom and Yahoo had been upfront with customers. The companies learned YahooXtra had been compromised only yesterday afternoon after it was confronted with doubts about customers being to blame.

Telecom outsourced its email service to YahooXtra in 2006. Ms Jalfon said it stood behind the service and accepted responsibility. However, it would be seeking an explanation from Yahoo as to the cause of the security failure. Telecom retail boss Chris Quin also apologised.

Telecommunications Users Association New Zealand chief executive Paul Brislen said he expected Telecom to go further and seek compensation from Yahoo for breaching its service agreement.

"Telecom was left out on a limb because Yahoo was parroting the line that it was a user-generated problem quite late in the day. You have to rely on your suppliers, and if [Yahoo] is saying, ‘It's not us, it's a phishing attack on individuals,' [Telecom] can do nothing but trust them."

Mr Brislen said compensation for individual email users was possible, but would have to be negotiated case by case.

"You might be able to say something about loss of reputation, but really, I don't think you're going to get very far."


If your email account has been hacked, Consumer NZ technology writer Hadyn Green has one piece of advice: change your password. "It's the very first thing you should do."

He suggests using a combination of numbers, letters, upper and lower case, and even punctuation marks. "But also choose something that you'll remember, because there's nothing worse than coming up with a very clever password that you then have to write down on a bit of paper."

Green suggests then sending an email to your contacts to let them know your account has been hacked, and not to click on any suspicious links.

"This is how phishing scams work: you get a weird email that seems slightly friendly, the terms will be generic, often there are spelling mistakes, and there will be a link. People need to know not to click on those links."

And if it's not clear whether a link was intentional or not, ask. "It's not impolite to respond to someone saying, ‘Excuse me, did you mean to send me this?' "

Green recommends installing free internet security software, such as those offered by Microsoft ( or AVG ( For those with Gmail accounts, he suggests setting up a two-step verification, where you log in with a code sent to your cellphone as well as your username and password.

"But all that probably won't help you if you click these links - so in general, keep your wits about you. And if you're not confident, be a little bit more careful."


THE spam attack has been "extremely embarrassing" for Megan Williams - and she hopes her colleagues understand.

When the Hastings disputes resolution worker logged in to her professional inbox on Sunday, she found about 20 emails advising that emails she had not sent had not been delivered.

"I then got a couple of responses from people who obviously had received emails from me that I hadn't sent."

Mrs Williams did not know who among her online address book had been contacted, so she could not warn them her account had been hacked. "At that point I didn't know what was happening.

"I didn't want to send a bulk email to everybody, because again, if they all hadn't received one, then I would have looked just as silly. I just hoped that people would understand that these emails weren't from me."

The spam was extremely embarrassing, she said.

"I've got hundreds and hundreds of clients - legal people, courts, judges - that would have got emails from me, that weren't from me at all.

"They would have thought it was something credible. They would have known I wasn't sending them garbage."

She had also received spam emails from other people who were affected, she said. One woman she knew had received a message from her friend's mother, who died three years ago.

Mrs Williams' son, whom she asked to look into the spam attack, contacted Xtra on Sunday night, and was told it had nothing to do with the company.

Mrs Williams then bought new anti-virus software, at the cost of $100, for which she hopes to be compensated.

"Obviously I needn't have done that. But as far as my business is concerned, I would hope that everyone who got an email from me would know that it wasn't from me by now."

The Dominion Post