Telecom admits YahooXtra email accounts were hacked
Subscribe now for $100 (23 issues) and save more than 37% off the cover price!
Get the latest news from Computerworld delivered via email.
Sign up now
Telecom has admitted its outsourced YahooXtra email service has been compromised by hackers resulting in some YahooXtra customer accounts being hijacked to send out malicious email.
It is advising all YahooXtra customers to change their passwords.
The company initially blamed a deluge of compromised accounts on a successful phishing attack, saying customers were tricked into clicking on scam emails, but has now acknowledged a "second attack" that was outside customers' control.
"We understand from our own technical investigations that the security of some YahooXtra email customer accounts may have been compromised, making it possible for emails to be sent from these accounts without the customers' knowledge," the company said in a statement.
Telecom said it could not tell how many customers had been affected but it believed it was a small percentage of its approximately 500,000-strong customer base.
Telecom retail boss Chris Quin, said it was working with Yahoo to investigate further. "We would like to apologise to all our customers for any distress or inconvenience caused and assure them that we are doing all we can, in conjunction with Yahoo, to resolve this incident."
Institute of IT professionals CEO Paul Matthews said Yahoo has been subject to a well-documented attack. "There is no doubt whatsoever [attackers] are using actual contact details from Xtra email accounts."
Matthews said the Institute is aware Yahoo had been subject to a major cross-site scripting (XSS) attack over the last few weeks which it said had been patched a few days ago.
"We've received notes from many of our members who have encountered this and the subsequent Xtra issues on client sites.
"Given the nature of these emails - sent indisputably to Xtra contact lists, in some cases to people who haven't been in contact for a long time and others very recently - it's highly likely that either the issue wasn't patched successfully, a new attack vector has been found or more likely, contact lists have been harvested during the initial attack to enable this secondary attack on Xtra email holders.
"According to security sources, this original attack appears to have been due to a vulnerability in the Yahoo Developers Network, due to blog software that hadn't been updated for at least nine months. The fact that there was an XSS vulnerability at Yahoo has been known since at least November," he says.
"So assuming this is the cause of the attack, it would appear to be due to a vulnerability at Yahoo and very difficult for users to avoid. This is a major attack and appears unrelated to any of the standard 'from Xtra account services' phishing emails which are regularly circulated."
One victim, YahooXtra customer Michael Beckett, said scam emails were sent from his email address while his computer was turned off and he was out on a boat.
"I went to change my password, but that kept on crashing and when I went to delete my contact lists - which is what the hack had programmed their malware to exploit - I couldn't delete the addresses."
Telecom says neither it nor outsourced email provider YahooXtra are responsible for a massive malware attack on Kiwi internet users that began over the weekend.
Many internet users have received rogue emails from friends and colleagues who are YahooXtra customers, containing links to websites that are designed to infect their computers with malware.
Telecom says a sophisticated phishing attack on its customers, rather than any breach of YahooXtra's own security, appeared to be responsible.
Telecommunications Users Association chief executive Paul Brislen said a "significant" number of YahooXtra customers - possibly in the thousands - appeared to have had their computers compromised.
Brislen said Telecom's explanation appeared unlikely as the victims include many professionals who he would not normally expect to fall for phishing scams.
But Telecom spokeswoman Jo Jalfon pointed the finger in the direction of a phishing scam that was also reported to have affected Google, the world's largest email provider, that was outlined in a Whaleoil blog.
The perpetrators of that scam appeared to be able to "guess" email addresses that might be known to others and included them in the "To" field of the phishing emails - making it more likely recipients would trust and open them.
That malware attack had "organised crime written all over it", according to the blog, and appeared designed to steal people's credit card details.
Jalfon said it did not know had many customers been affected. The advice to those who have been affected is to change their Xtra passwords.
Posted by Anonymous at 12:00:51 on February 12, 2013
Based on the fact that almost all of the Xtra users that I know got affected including some quite savvy IT users I believe it has been a very wide spread attack.
Posted by Anonymous at 19:22:58 on February 11, 2013
lol so what is he saying? that telecom hacked the yahoo servers?
Posted by Anonymous at 19:19:43 on February 11, 2013
Posted by Anonymous at 15:42:49 on February 11, 2013
'Appearing to' is a little vague. Guessing email addresses and obtaining someones contact lists are two very different things. You can tell if an address is guessed as there will be return mail from a thousand times more incorrect addresses on the receiving mail server for every one it guesses correctly and lets through. If this type of activity has not been detected, then personal contact lists have been obtained somehow.
Phising? Account compromise? Server compromise?
If the actaul Phising email hasn't been identified yet, I'd be ruling out Phising.
Posted by SilentBob at 13:04:39 on February 11, 2013
Posted by Mo at 19:10:53 on February 13, 2013
Posted by Anonymous at 12:45:04 on February 11, 2013
I note my own throwaway yahoo account that I use only rarely was hacked in January - i blamed a bruteforce attack on my fairly weak password, but looking at recent vulnerabilities on yahoo, it appears this was not the most likely cause.
I think yahoo/xtra is in for a bad week.
Posted by Earp at 17:01:25 on February 11, 2013