YahooXtra email accounts hacked

03:13, Feb 11 2013

Telecom has admitted its outsourced YahooXtra email service has been compromised by hackers resulting in some YahooXtra customer accounts being hijacked to send out malicious email.

It is advising all YahooXtra customers to change their passwords.

The company initially blamed a deluge of compromised accounts on a successful phishing attack, saying customers were tricked into clicking on scam emails, but has now acknowledged a "second attack" that was outside customers' control.

"We understand from our own technical investigations that the security of some YahooXtra email customer accounts may have been compromised, making it possible for emails to be sent from these accounts without the customers' knowledge," the company said in a statement.

Telecom said it could not tell how many customers had been affected but it believed it was a small percentage of its approximately 500,000-strong customer base.

Telecom retail boss Chris Quin, said it was working with Yahoo to investigate further. "We would like to apologise to all our customers for any distress or inconvenience caused and assure them that we are doing all we can, in conjunction with Yahoo, to resolve this incident."


The chief executive of the Institute of Information Technology Professionals, Paul Matthews, had earlier described Telecom's initial explanation of the cause of the rogue emails as "demonstrably wrong".

Telecom first said neither it nor its outsourced email provider YahooXtra were responsible for the massive malware attack, that began over the weekend.

Many internet users have received rogue emails from friends and colleagues who are YahooXtra customers, containing links to websites that are designed to infect their computers with malware.

Telecom initially said a sophisticated phishing attack on its customers, rather than any breach of YahooXtra's own security, appeared to be responsible.

But IITP boss Paul Matthews said Yahoo had been subject to a well-documented attack.

Matthews said the institute was aware Yahoo had been subject to a major cross-site scripting (XSS) attack over the last few weeks which it said had been patched a few days ago.

"We've received notes from many of our members who have encountered this and the subsequent Xtra issues on client sites.

"Given the nature of these emails - sent indisputably to Xtra contact lists, in some cases to people who haven't been in contact for a long time and others very recently - it's highly likely that either the issue wasn't patched successfully, a new attack vector has been found or more likely, contact lists have been harvested during the initial attack to enable this secondary attack on Xtra email holders.

"According to security sources, this original attack appears to have been due to a vulnerability in the Yahoo Developers Network, due to blog software that hadn't been updated for at least nine months. The fact that there was an XSS vulnerability at Yahoo has been known since at least November," he said.

"So assuming this is the cause of the attack, it would appear to be due to a vulnerability at Yahoo and very difficult for users to avoid. This is a major attack and appears unrelated to any of the standard 'from Xtra account services' phishing emails which are regularly circulated."

One victim, YahooXtra customer Michael Beckett, said scam emails were sent from his email address while his computer was turned off and he was out on a boat.

"I went to change my password, but that kept on crashing and when I went to delete my contact lists - which is what the hack had programmed their malware to exploit - I couldn't delete the addresses."

The Dominion Post