YahooXtra users face hacking spam nightmare

20:16, Feb 12 2013

Telecom is putting the pressure on Yahoo to front up over a security breach that resulted in a mass of spam emails.

A review in the next two months will investigate a series of issues that Telecom said had affected the email service badly and lead to repeated apologies to its customers.

Telecom retail chief executive Chris Quin said saying sorry to frustrated customers was no longer good enough.

The review was triggered after hundreds of thousands of emails were sent out from YahooXtra users accounts to anyone in their contacts list.

The email consisted of a generic greeting and a link to a website asking for personal details including credit card numbers.

Clicking on the link gives hackers access to the recipient's contacts, meaning the scam has the potential to affect all 450,000 YahooXtra users.

Telecom outsourced its Xtra email service to Yahoo in 2007.

"It was the right thing to do at the time in terms of meeting our customers' desire for an ongoing email service associated with their Telecom broadband account,'' Mr Quin said.

"However the global email environment has changed markedly since then and we believe the time is right for a comprehensive review of our approach in this area.''

Internet safety organisation Netsafe said it looked "like the single biggest email takeover event that we have seen".

The number of malicious emails would be getting "exponentially bigger" throughout yesterday as people unknowingly clicked on the links.

Telecom initially said gullible customers must have fallen victim to the "phishing" scam after clicking on suspicious links.


But Institute of Information Technology Professionals chief executive Paul Matthews said it was not a user-generated problem, and that YahooXtra's own security had been breached.

Telecom then "double-checked" with Yahoo and admitted the mail service itself had been compromised in "two separate but potentially related malicious attacks" over the past few days.

Telecom spokeswoman Jo Jalfon confirmed the rogue emails could have been sent out without any involvement from account holders. The vulnerability had been addressed, she said, but Telecom advised all customers to change their email passwords.

Netsafe director Martin Cocker said clicking on a link in a malicious email could result in malware being downloaded to the user's web browser. Hackers could then use that to monitor computer use, potentially allowing them to steal bank and credit card details.

He advised anyone with concerns to visit Netsafe's website for information on how to scan their computer.

Ms Jalfon said Telecom and Yahoo had been upfront with customers. The companies learned YahooXtra had been compromised only yesterday afternoon after it was confronted with doubts about customers being to blame.

Telecom outsourced its email service to YahooXtra in 2006. Ms Jalfon said it stood behind the service and accepted responsibility. However, it would be seeking an explanation from Yahoo as to the cause of the security failure. 

Telecommunications Users Association New Zealand chief executive Paul Brislen said he expected Telecom to go further and seek compensation from Yahoo for breaching its service agreement.

"Telecom was left out on a limb because Yahoo was parroting the line that it was a user-generated problem quite late in the day. You have to rely on your suppliers, and if [Yahoo] is saying, ‘It's not us, it's a phishing attack on individuals,' [Telecom] can do nothing but trust them."

Mr Brislen said compensation for individual email users was possible, but would have to be negotiated case by case.

"You might be able to say something about loss of reputation, but really, I don't think you're going to get very far."


If your email account has been hacked, Consumer NZ technology writer Hadyn Green has one piece of advice: change your password. "It's the very first thing you should do."

He suggests using a combination of numbers, letters, upper and lower case, and even punctuation marks. "But also choose something that you'll remember, because there's nothing worse than coming up with a very clever password that you then have to write down on a bit of paper."

Green suggests then sending an email to your contacts to let them know your account has been hacked, and not to click on any suspicious links.

"This is how phishing scams work: you get a weird email that seems slightly friendly, the terms will be generic, often there are spelling mistakes, and there will be a link. People need to know not to click on those links."

And if it's not clear whether a link was intentional or not, ask. "It's not impolite to respond to someone saying, ‘Excuse me, did you mean to send me this?' "

Green recommends installing free internet security software, such as those offered by Microsoft ( or AVG ( For those with Gmail accounts, he suggests setting up a two-step verification, where you log in with a code sent to your cellphone as well as your username and password.

"But all that probably won't help you if you click these links - so in general, keep your wits about you. And if you're not confident, be a little bit more careful."


The spam attack has been "extremely embarrassing" for Megan Williams - and she hopes her colleagues understand.

When the Hastings disputes resolution worker logged in to her professional inbox on Sunday, she found about 20 emails advising that emails she had not sent had not been delivered.

"I then got a couple of responses from people who obviously had received emails from me that I hadn't sent."

Mrs Williams did not know who among her online address book had been contacted, so she could not warn them her account had been hacked. "At that point I didn't know what was happening.

"I didn't want to send a bulk email to everybody, because again, if they all hadn't received one, then I would have looked just as silly. I just hoped that people would understand that these emails weren't from me."

The spam was extremely embarrassing, she said.

"I've got hundreds and hundreds of clients - legal people, courts, judges - that would have got emails from me, that weren't from me at all.

"They would have thought it was something credible. They would have known I wasn't sending them garbage."

She had also received spam emails from other people who were affected, she said. One woman she knew had received a message from her friend's mother, who died three years ago.

Mrs Williams' son, whom she asked to look into the spam attack, contacted Xtra on Sunday night, and was told it had nothing to do with the company.

Mrs Williams then bought new anti-virus software, at the cost of $100, for which she hopes to be compensated.

"Obviously I needn't have done that. But as far as my business is concerned, I would hope that everyone who got an email from me would know that it wasn't from me by now."

Barrister Tony Rickard-Simms said being on the end of YahooXtra's latest security breach has caused him some professional awkwardness.

''When you get an email from your lawyer, you trust them - supposedly.''

He became aware of the spam on Saturday afternoon, when a contact suggested he checked his emails.Mr Rickard-Simms, of Pacific Coast Law in Papamoa, found about 300 messages had been sent from his account and delivery of a further hundred had failed.

''Many of the emails that were sent out were to contacts that were no longer in existence, so I got about 150 messages back saying they could not be sent.''

He emailed his address book contacts, warning them he'd been hacked. ''I sent a message out saying 'You may get a message from me; if there's a not a phrase in the subject you recognise don't open in it', and left it at that.

''Most people seem to have got the message.''

Mr Rickard-Simms had received some spam himself. ''I got messages from my wife and friends that would normally just ring me up.

''That was a bit odd. I knew my wife would never email me.''

He said he would have appreciated more contact direct from Telecom or Yahoo, rather than waiting for news reports of what had happened. ''It was a bit of a panic to begin with because I didn't know what was going on.

''I'd have liked to have known a little bit about it, rather than just trying to battle it myself.

''Unless you're especially computer literate, you can struggle with these sorts of things.''

He had changed his password, but doubted he would close his YahooXtra account. ''It's on my cards and on my letterhead - the costs at the moment would be prohibitive.

''But I guess if anything else happens, I'd have to go down that track.'' 


* Change your password, using a combination of numbers, letters, upper and lower case, and even punctation marks

* Update the ''secret questions'' you answer and secondary email addresses used to retrieve your password

* Check your browser for malware, on the ''extensions'' tab of the ''add-ons'' or ''preferences'' page of your browser

* Install free security software from Microsoft ( or AVG (

* Gmail users can set up two-step verification to log in with a code sent to their cellphone as well as their username and password


* Don't click on the link

* Email the person who sent the spam to let them know to change their password

* Consider changing your own password and installing free security software or two-step verification

The Dominion Post