Yahoo's hack explanation doesn't add up
OPINION: United States media have, by and large, taken at face value a statement that was issued by Yahoo on Friday, explaining how some of its customers' email may have been hacked.
But I am struggling with the account given by Yahoo's senior vice president Jay Rossiter.
Although it was reported around the world as "new news", the attacks Rossiter referred to appear to be the same ones that Telecom and Yahoo first reported on January 24, when the companies issued a joint statement saying some Xtra accounts had been compromised (Telecom completely and probably irrevocably outsourced its Xtra email service to Yahoo in 2007).
Telecom said that some non-Xtra Yahoo accounts had also been compromised.
Every day last week I asked Yahoo's corporate headquarters, via their Auckland public relations representative, to provide more information about the cause, scale and implications of the attack.
Then came Rossiter's statement on Friday, which said hackers "appeared" to have obtained Yahoo customers' usernames and passwords from a "third party database".
If that explanation is the whole story, then it would be somewhat reassuring. It would mean Yahoo itself does not necessarily have any security weakness; the hackers got people's email addresses and the usernames and passwords they used to access the third-party site, and then tried them to see if they would also unlock those people's Yahoo email accounts.
If Yahoo's explanation is correct, then email users could have avoided this and any future attacks simply by ensuring they did not use the same usernames and passwords for their email accounts as they did when accessing other online services, which is a good idea anyway.
Pretty much all of us re-use passwords on the web, but it is a good idea to reserve "unique" ones at least for internet banking and webmail.
The problem is Rossiter's theory - and that seems to be all it is, a theory - does not seem that convincing.
What third-party database was hacked? It must have been a big one to explain the scale of attacks Xtra has seen, so why haven't we heard about the attack on the primary target?
Any why don't hackers seem to have been able to use the same information they gathered from the third party to compromise other email services such as Google's Gmail? Why pick on Yahoo?
Why also does Yahoo only say it "appeared" as though a third-party database had been hacked? Surely if that had been the source of the problem, it would be easy to verify, just by checking whether the all people whose accounts who had been compromised did in fact use one third party's service, and with the same usernames and passwords they used with Yahoo?
One New Zealand security professional believes one of his clients, whose Xtra account was hacked last month, did not use their Yahoo credentials to access any other site. If correct, that would seem to contradict Rossiter's theory.
I asked Yahoo on Friday what evidence it had to support Rossiter's theory.
Its response was as follows: "Because the investigation is ongoing and we are working closely with federal law enforcement, we are not able to share any additional information beyond what we've said publicly."
Immediately after suggesting a third party was to blame, Rossiter said there was no evidence Yahoo's own systems had been breached.
So my question to Rossiter is: Is the fact that Yahoo has not found a hole its own systems actually the only evidence Yahoo has that the hack of a third party might be to blame?
I also ask Telecom: Does it believe the theory put forward by Rossiter in his Friday blog?
I have some sympathy with the situation Telecom has found itself in. Clearly it will have recognised that outsourcing Xtra to Yahoo in 2007 and, in particular, handing over the rights to Xtra email addresses, was a mistake. But how to redress it?
The majority of Xtra customers have not had their accounts hacked in the various compromises that have have happened over the past year. The reliability of the service appears to have improved since April, when Yahoo switched Xtra from a second-rate bespoke technology platform on to its main email platform (prior to that it was woeful).
Many Xtra customers may not want Telecom to abandon Yahoo if that comes at the cost of them losing their email addresses altogether or having to pay some kind of extra fee to Yahoo to keep them.
US law enforcement may catch the perpetrators of the present attacks on Yahoo. It is possible the explanation Yahoo provided on Friday, implausible or incomplete though it seems, will prove to be correct. Finally, Telecom's customers can switch to other free email services if they choose.
But the fundamental issue is one of trust and, now, brand association.
If Yahoo can't solve the problem and provide a far more definitive account of what happened within a month or two, I'd expect Telecom to finally bite the bullet and unravel this partnership.
- Fairfax Media