Telecom: cancelling passwords necessary

Last updated 13:20 18/02/2013

Relevant offers

Digital Living

UK songwriters collective sue SoundCloud over copyright Essay: Virginia TV shootings were tailored for the Twitter age The end of endless emails is a long way off Tech startups want to change the way you drive Woman disabled by 'gadget allergy' Ashley Madison faked female profiles to lure men in, hacked data suggest Amazon now offering alcohol deliveries in the US Duncan Garner says Ashley Madison account is fake, but he was signed up to Tinder Jeep hacker Charlie Miller leaves Twitter US Ashley Madison users sue cheating website over breach

Telecom says it knew problems were likely to ensue when it began cancelling the passwords of 60,000 Xtra email accounts that were newly discovered to have been compromised by an attack on outsourced email provider Yahoo.

But spokeswoman Jo Jalfon said the move was necessary to prevent the hacked accounts sending out emails with links to malware-infected websites for "weeks".

Telecom said it was only the scale and not the nature of the crisis that deepened over the weekend.

Jalfon said Telecom was unsure whether hackers could have opened and read customers' actual emails, but Yahoo was continuing to assure Telecom it had no evidence that had happened.

Telecom began cancelling the passwords of 60,000 Xtra email accounts on Saturday night with little or no warning. That meant customers had to reprove their identity and set new passwords before being able to log back into their accounts.

Telecom's call centre was swamped as people who had forgotten answers to security questions, or had other problems changing their passwords online, called for help. Some customers reported being put on hold for hours before they could get through.

Jalfon said Telecom had redeployed about 100 staff from other parts of its call centre to help clear the backlog. People who required phone help changing their passwords and logging back into their email were now getting through within about five minutes, but customers might face delays calling Telecom about other issues, she said.

Jalfon said Telecom had forcibly cancelled the 60,000 passwords because its experience last week had shown few of the affected customers were likely to respond quickly to prompting.

She confirmed 80,000 of its 450,000 Xtra customers were now known to have had their email accounts compromised as a result of the attack.

Last week, Yahoo told Telecom that about 20,000 Xtra accounts had been compromised. About 5000 of those customers quickly changed their passwords following warnings by Telecom that were conveyed by the media and through social media sites such as Twitter.

But Jalfon said that when Telecom began emailing the remainder of those customers in batches, giving them 24 hours' notice that it would cancel their passwords, it found only 40 per cent of customers opened those emails and only half of them took any action. "It just wasn't happening fast enough."

Jalfon said about 27,000 of the 60,000 passwords it cancelled on Saturday were allocated to "idle" email accounts that had not been accessed for the previous 90 days. She presumed that was because the account holders had switched to other email services such as Gmail.

Ad Feedback

Some customers' anger was compounded this weekend as a result of a "human error" that saw Telecom forcibly cancel the passwords of 1560 accounts whose owners had already voluntarily changed their passwords. They "regrettably found themselves on our updated compromised email account list over the weekend", Jalfon said.

"The reason was identified as being that some customers had logged into their accounts with an upper case character when changing their password. These customers then didn't match the compromised list we had received from Yahoo, so our staff assumed they hadn't changed their password, and regrettably locked them again.

"The oversight was corrected shortly after it was noticed and we apologise for the inconvenience and confusion this may have caused these customers."

Institute of Information Technology Professionals chief executive Paul Matthews has said customers can minimise the risk of falling victim to cookie-capturing "cross site scripting" attacks of the kind that befell YahooXtra by logging out of their email and other accounts and re-entering their usernames and passwords to sign back in.

"Even though having to log in all the time is annoying, don't use the 'remember me' checkbox on webmail. This potentially makes your account vulnerable all the time rather than just when you're on the webmail site. It's simply not worth the risk for a little convenience."

- The Dominion Post


Special offers

Featured Promotions

Sponsored Content