The YahooXtra email service is the victim of two separate,
but potentially related "malicious" attacks, Telecom has
The security breach, which began on Saturday morning, saw
emails sent to everyone on users' contact lists, asking them
to click on a link directing them to an online advertisement.
Telecom responded in a statement issued this afternoon,
saying the attacks were believed to have similarly affected
other Yahoo mail users using Yahoo servers.
The first attack was a phishing attempt, Telecom said, where
some customers received emails purportedly from people they
knew containing a link to a suspicious website.
Clicking on the link sent similar emails to certain contact
on their address lists.
The second attack has compromised the security of some
customers, making it possible for emails to be sent from
their accounts without their knowledge, the statement said.
Telecom said while it was difficult to know how many accounts
had been affected, they believed it was a "small percentage"
of the total customer base.
They did not offer any additional advice to earlier warnings
for victims to change their passwords.
Telecom's CEO retail Chris Quin said while Yahoo's security
was "sophisticated", no system was 100 per cent bullet proof.
".. As we have seen from this incident, cyber-attacks by
global criminals are becoming increasingly sophisticated.
"We are currently working with Yahoo! to investigate further.
We would like to apologise to all our customers for any
distress or inconvenience caused and assure them that we are
doing all we can, in conjunction with Yahoo!, to resolve this
Despite claims that a "small percentage" had been affected,
YahooXtra customers have been saying that the spam issue
plaguing their mailboxes is worse than the email service is
admitting - and it's still happening, despite assurances it
had been fixed.
Telecom, which uses Yahoo as its email provider, initially
attributed the breach to a "suspected phishing issue"- a
tactic used by scammers to extract confidential information
like passwords and credit card details.
The company said they were told early yesterday that the
issue had been resolved, but customers told the Herald the
problem was far from over.
Elizabeth Simm said she was horrified to see that the spam
emails had gone out to everyone she had ever sent an email
"I thought I had a bug in my system, so spent about three
hours phoning and texting family and friends advising them
not to open anything from me with nothing in the 'subject'
Ms Simm was frustrated that there was no mention of the
problem on the Xtra website.
"Why were we not advised, which could have been done so
quickly and easily?"
Another reader said spam was even sent from her account to a
contact that had died months ago.
Carl Black wrote in to dispute Telecom's claims that
customers must have clicked a link.
"I got spam from my dead brother's account. He obviously
hasn't been clicking any links, and for Telecom to blame him
for this is just insulting."
Yahoo Xtra customer Peter Fowler said he did not believe
Telecom was being "honest"about the cause.
Telecom's explanation that it was the customer clicking on
the link that sent the spam made him look "stupid"in the eyes
of the 175 people on his contact list, he said.
"I did not click on any link and in fact hadn't used the
account for about a month.
"Talking to the help desk in the Philippines last night, I
got the impression someone had hacked into Yahoo/Telecom
servers and were generating the spam from within the
Telecom/Yahoo servers. There is no other explanation for how
the spammers managed to get access to all the contacts in my
Fowler said he had since closed his Yahoo account.
Another Xtra user, Alex Munroe, also expressed concern over
the magnitude of the problem.
"I think 'hundreds' is being a little conservative. I think
the article should read 'hundreds of thousands' or possibly
'millions' considering Xtra is NZ's biggest internet service
provider. Xtra was caught napping.
"This mass spam attack over the weekend has affected friends
and family of mine worldwide."
And the breach was not limited to existing contacts, she
"I am a TradeMe seller and when I went into my Yahoo account
address list yesterday I was shocked to see the number of
unknown addresses in my contacts list. I realised many of
them were people I have traded with on TradeMe in the past
couple of years."
Munroe said Yahoo automatically inserted the addresses into
the contact list at the end of a successful auction,
extending the spam's reach.
Another user complained that his Xtra Webmail account had
been hacked after a year of inactivity.
"If the excuse Telecom (is) using is true, that wouldn't be
possible," he said.
Other users said the issue was still ongoing today, despite
being told it was over.
"I agree with Peter - I also did not click on any suspicious
link - these emails just started turning up using my contacts
that have Xtra email addresses - tell the truth Telecom!"
said Kevin Wike.
"I have received [approximately] a dozen emails from
different clients in the past two days - this cannot be a
phishing attack - it appears to be an attack directly on the
data held by Yahoo Xtra," said Chris Grenfell.
Others said the problem wasn't new.
"It was actually a Yahoo vulnerability that has been doing
the rounds for a few weeks, but seems to have jumped over to
Xtra (who outsource their email to Yahoo)," wrote Luke Healy.
"Apparently it's fixed now, although it's quite likely that
whoever did it kept copies of all your contacts and will keep
spamming them in your name."
Ray Eyre said he had even begun to receive email spam from
his own account.
"The spam from my own address must be generated on the
telecom/yahoo server as there is no other way it can happen."
He said he had queried Telecom a number of times over the
amount of spam and had been "fobbed off"each time. He was
considering dropping Telecom as his internet service
Telecom spokeswoman Jo Jalfon said the problem began on
"Despite the huge focus Yahoo! puts on email security,
spammers are internationally becoming increasingly savvy," Ms
"Telecom advises its customers to routinely change their
password to further reduce the risk of their email account
being compromised in any way."
A recorded message from Xtra said the problem had been fixed.