Yahoo finds another 1500 compromised Telecom Xtra accounts

UPDATE: A curious coda to today's Yahoo Xtra developments. A colleague at NBR got the above right error message about Yahoo Xtra being down for maintenance when he tried to check for new messages on his personal Yahoo Xtra account.

The error message persisted for several minutes. When he tried again this evening, he was able to get in.

I sent a copy of the error message to Telecom. 

A spokeswoman replied: "We believe its a spoof as we sent some test messages which worked and Yahoo would advise us of any work which they have not."

Don't know about that one. If it was sent by a random person I would wonder if it was faked too. But it arrived from a someone I know at work, who's a serious-minded guy just annoyed he couldn't access his email (and the screen grab above is a crop of a larger screen shot).

And "spoofing" in the technical sense (one programme masquerading as another) makes no sense, given the account worked normally a few minutes later.

It sounds like there's probably a more common-or-garden explanation: more poor communication. Perhaps Yahoo failed to let Telecom know a scheduled outage was taking place - not good at a time when Telecom is formally reviewing its email options.

Another 1500 Telecom customers using its Yahoo Xtra email service have potentially "compromised accounts."

Passwords on all 1500 accounts have been summarily cancelled by Telecom. As with previous cancellations, customers are issued with a temporary password then asked to head online, or phone, to reset their account.

Telecom attempted to draw a line under its latest Yahoo Xtra problems on February 22 with a statement headed Telecom Customers no Longer Compromised Following Cyber Attack. It said passwords on all 65,000 affected accounts have been changed (passwords were also cancelled on a number of inactive accounts, taking the total number number of compromised accounts to 87,000).

But in comments after NBR ONLINE stories, and elsewhere, people continued to complain about a heavy number of spam messages from Yahoo Xtra accounts.

Today, Telecom said it has been alerted by Yahoo of 1500 potentially compromised accounts - up from the usually number of around 100 (Telecom has around 450,000 broadband customers in total). 

Accounts can be compromised when a person sends on a malicious link in an email sent by a "phisher", or within an email from a person they know who has already been compromised.

But some, including government-funded NetSafe and the Institute of IT Professionals NZ, are more worried about the separate, direct security breach of Yahoo's mail servers, which happened at the same time as the February 9 phishing attack upsurge. This mail server breach could have lead to address books and email being downloaded for use in a future attack.

On this point, said today "Yahoo continues to assure Telecom that there has been no evidence that email accounts have been accessed for any other reason than to send spam."

Telecom did not immediately respond in detail on the question of whether the 1500 potentially compromised accounts revealed today could be traced back to the February 9 attack.

"It’s pretty clear that we will never see the end of these types of incidents given the global nature of spam and the increasingly sophisticated tactics of spammers and cyber criminals," a spokeswoman told NBR ONLINE.

Follow @ChrisKeall

ckeall@nbr.co.nz