Spark says customer data stolen in giant Yahoo hack

UPDATE: Scroll to end of story for Spark's statement. In short, Yahoo has confirmed that an unspecified number of Spark Xtra Mail accounts were hacked and personal data stolen.

Any Spark customer using Xtra Mail needs to change their password, and their security questions — and on any other accounts where they use the same information.

That's a hassle. A password can be changed, but your mother's maiden name or first street you grew up on cannot.

EARLIER: Thank God Spark is finally ridding itself of its Yahoo, the current provider of its Xtra Mail service (from January it's moving customers to the Sam Morgan-backed SMX).

Spark has partnered with Yahoo for nine years, many of them punctuated by Yahoo security blunders.

This morning, the story is breaking of yet more Yahoo ineptness: The US-based company says 500 million accounts were hacked, and information including a copy of certain user account information  — including names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers — was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor.

Yahoo says it is notifying potentially affected users and has taken steps to secure their accounts by invalidating unencrypted security questions and answers so hackers can't use them to change passwords.

In 2013, around 400,000 Xtra Mail customers had to change passwords after widespread phishing attacks, which followed an apparent breach of Yahoo's servers. (After a 2014 review, Spark decided to stay with Yahoo, a decision it reversed last week).

Spark could not immediately say if the 2014 hack admitted today would affect Xtra Mail users.

The company said in a statement, "We are working closely with them to understand if there is any impact in New Zealand. As a precaution, we are encouraging customers who haven’t changed their passwords in the last 12-18 months to do so."

NBR's advice: If you have a Yahoo account and/or an Xtra Mail account, just go ahead and change your password and security questions anyway. Given the nature of the attack, Xtra Mail users should also change their security questions if they also use them on other sites, hassle though that is.

The financially challenged Yahoo is in the process of being sold to Verizon for a fire-sale price – although according to a BBC reporter posting to social media, the US phone company is now "evaluating its interests" with regards to the deal.

Read more about Spark's Xtra Mail move to SMX and action required by users here.

SPARK STATEMENT 

Important security information for Xtra e-mail customers

Yahoo announced earlier today that a copy of some of its user account information was stolen from the company’s global network back in November 2014. They have confirmed that the information from some of Spark’s Xtra customers is included in the stolen data. We are working closely with Yahoo to identify any customers who may be affected.

Yahoo has no evidence that the stolen bcrypt-protected passwords or security questions and answers were used to gain unauthorized access to Spark accounts.  

Yahoo has confirmed that the stolen account information may have included names, email addresses, telephone numbers, dates of birth, and hashed passwords and, in some cases, encrypted or unencrypted security questions and answers.Their investigation suggests that information did not include unprotected passwords.

Spark will be communicating directly with customers who we believe may have been impacted as soon as we have more information. We would like to remind all customers to change their password and security questions for their Xtra account and any other account on which you used the same or similar information.

To maintain a secure online profile, Spark advises all Xtra users to regularly update account settings with a strong, difficult-to-predict password. All Xtra customers who have not changed their password or security questions since 2014, or are unsure if they have, should do so now on the Spark website using this link: www.spark.co.nz/changepassword.

As previously announced, we are currently in the process of preparing to move all of our email system back home to New Zealand. A number of our customers have already received a request to register on the Spark website. We thank those customers who have already registered and encourage those who have not registered, to do so.

If you’ve already registered to have your email moved to SMX, you don’t need to do that again – any changes you make to your password will be applied to the new system.