No end in sight for Xtra agony
The nightmare looks set to continue for tens of thousands of Telecom email users who have had their Xtra accounts hacked over the past year.
It appears that hackers have copied and stored their email address books, or at least stripped email contact information from emails that Xtra users have sent, and are continuing to send out malware-infested spam in their name.
That means it won't matter if customers secure their accounts and change their passwords, or even stop using Xtra altogether and switch to alternative services such as Google's Gmail. Their friends, family and colleagues are likely to continue to receive malware-infested spam that appears as though it is coming from their Xtra addresses.
The only thing that may stop the periodic deluges is if the hackers are caught and the stolen address books or contact information can be retrieved and destroyed.
One technology expert who has been helping Xtra customers try to sort out the mess says many have had enough. One female client was distressed to find she was being "spammed" by the email address of her husband, who had recently died from cancer. His was only the email address in her email address book when her account was infiltrated by hackers.
"We do understand how difficult it is for people," Telecom spokeswoman Lucy Fullarton says. "I know we have said it many times before, but we do apologise and understand this is not an easy thing for them."
So far, it has offered no compensation. Fullarton says this is in part because it does not charge separately for the service.
The problems began for Xtra a year ago when hackers gleaned
the usernames and passwords of 87,000 of Xtra's 450,000 email accounts.
Yahoo, which has managed Telecom's email service since 2007, has never explained the security breach. It was widely assumed hackers pulled off a "cross-site scripting" (XSS) attack by exploiting a security flaw in a piece of WordPress blogging software that was used by some Yahoo software developers.
The theory went that the flaw let the hackers decrypt customers' usernames and passwords from "cookies" stored temporarily on Xtra customers' computers, if victims could first be persuaded to click on links to websites containing malicious code while they were still logged on to Yahoo.
However, more Xtra and other Yahoo email accounts were "compromised" in subsequent attacks, some as recently as late last month - which is long after the WordPress vulnerability was closed.
In a short statement issued on a blog on Friday, Yahoo vice-president Jay Rossiter said hackers appeared to have obtained Yahoo usernames and passwords from a "third party database".
Yahoo suggested it was possible hackers just tried their luck, hoping the user names and passwords they had stolen from the unnamed business would work on victims' Yahoo email accounts, given many people use the same usernames and passwords for many different online services.
"Our ongoing investigation shows that malicious computer software used the list of usernames and password to access Yahoo email accounts. The information sought in the attack seems to be names and email addresses from the affected accounts' most recent sent emails," Rossiter said.
Yahoo would not name the "third party" that it claimed had been hacked.
Fullarton won't disclose how many Xtra accounts have been compromised in all during the past year, other than saying it is "a minority" of its total number of about 450,000 accounts. But she accepts the fresh hacks indicate that the XSS flaw, if it was indeed the root cause of the original attack, is not a full explanation for all of the problems.
During the original attacks, the hackers sent out spam emails direct from victims' accounts. But Fullarton says Yahoo has confirmed the latest rounds of spam emails, seemingly sent from Xtra email addresses last week, were not sent from Yahoo's servers.
Instead, the hackers have "spoofed" past victims' email address, sending out spam that only appears to come from their addresses, to their stolen contacts. While it may seem a good thing that the spam is not actually originating from victims' accounts, the flipside is that it will be harder - if not impossible - to stop
Telecom reviewed its relationship with Yahoo after the February attacks last year. It weighed up moving to another provider and bringing email back in-house. It also "seriously considered" dumping email altogether and simply advising customers sign up to free services such as Google's Gmail, as many Telecom customers are believed to have done off their own bat.
But in April it instead decided to stick with Yahoo, moving Xtra customers from an aging bespoke Yahoo platform which had separate reliability issues, on to Yahoo's main email platform.
Fullarton said Telecom's view then and now is that customers still value the service. When Telecom outsourced Xtra to Yahoo in 2007, it handed over the rights to the Xtra internet domain to Yahoo.
That means that if it now dropped the service, it could not guarantee customers would be able to retain their existing email addresses, which some business customers will have printed on their stationery or even etched on to their vans.
"We know a huge proportion of our customer base rely on those addresses, have had them a long time and it is a big part of their online identity," Fullarton said.
- © Fairfax NZ News