Has Xtra email been breached again?

Forums › Spark New Zealand (including Skinny and BigPipe) › Has Xtra email been breached again?

1 | 2 | 3 | 4 | 5 | 6 | 7

2870 posts

Uber Geek

Trusted

Lifetime subscriber

#797203 10-Apr-2013 15:21

Telecom certainly on the ball so thanks to you and your guys Peter.

Had a call earlier today about my account being compromised and asking for the same info you had asked for and have also emailed me so even though its an inconvenience its not the end of the world.

Galaxy S10

Garmin Fenix 5

mentalinc

3234 posts

Uber Geek

Trusted

#797224 10-Apr-2013 16:01

plambrechtsen:
If I could get a copy of the headers & payload URL that would be useful to ensure it's already been captured.

PM sent with the details.

CPU: AMD 5900x | RAM: GSKILL Trident Z Neo RGB F4-3600C16D-32GTZNC-32-GB | MB: Asus X570-E | GFX: EVGA FTW3 Ultra RTX 3080Ti| Monitor: LG 27GL850-B 2560x1440

Quic: https://account.quic.nz/refer/473833 R473833EQKIBX

humvee

196 posts

Master Geek

#797227 10-Apr-2013 16:17

plambrechtsen:
joker97: if i never use my login could i have been hacked? if so they got my password from WHERE???

Do you use an insecure password (something short with just a word). Or something with uppers, lowers and numbers.

I am right in the middle of this working directly with Yahoo, so can't comment on any further things.

But I can say that a number of geekzoners here have provided extremely useful information that has been fed directly back to Yahoo and is very much appreciated.

The account that was breached that i know password For was 2 words 1 number 7 chars total.

aw

286 posts

Ultimate Geek

#797265 10-Apr-2013 17:29

Checked out the payload of the messages I got on a deliberately insecure VM with WinXP and IE6 - just diet scams, no apparent exploits - but the spammer could be acting for multiple "vendors" for all we know.

freitasm

BDFL - Memuneh
79283 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#797308 10-Apr-2013 18:39

Just received from Telecom:

Update on today’s Yahoo Xtra suspicious email incident:

Telecom is implementing tonight a new, simpler, process to protect customers whose accounts appear to have been compromised in a new malicious email incident over the past 24 hours or so. A compromised account means that the customer’s email account is potentially being misused to send suspicious emails.

The new process, which was committed to in our email review announcement last Friday, means that affected customers who usually log onto their Yahoo! Xtra email via webmail (internet) will tonight be automatically directed to a web page that steps them through how to change their password and make any necessary changes to their account settings.

All affected customers, including those who access their Yahoo! Xtra email via other methods, such as Outlook mail or other email applications, will receive an email tonight, advising them to change their password immediately. The email will direct them to the Telecom website.

To recap: late Tuesday afternoon Telecom had reports that some Yahoo! Xtra customers were receiving suspicious looking emails. As in the previous February incident, these emails appeared to be from one of their contacts, but contained an embedded link to a potentially malicious website.

We began urgent investigations with our email provider Yahoo! to identify the source of this latest issue. This included submitting examples of these suspicious emails for Yahoo! to analyse and attempt to trace the source. Based on this analysis, Yahoo! implemented some additional security protocols.

If a customer’s email account has potentially been compromised, previous experience has shown that the most effective way to re-secure their account is to change their email password.

We would again like to sincerely apologise to all of our customers who have been affected by this latest incident – in particular those whose accounts have been misused to send suspicious emails, as well as those who have received such emails. It is extremely disappointing to us that this incident seems to have recurred and we are in active discussions with Yahoo! to gain a better understanding of the cause of this latest incident.

Further background

The reality of today’s online world means that all email providers are engaged in a continuous battle against online crime, malicious emails and spam. As one of the world’s biggest providers of email services, Yahoo! is at the front line of this battle and alone blocks more than 600 billion spam messages a month.

It is important for customers to realise that simply receiving a suspicious email does not indicate that their account has been compromised. We advise customers who have received mail that they believe is spam, even from a known contact, to delete immediately and never to click on suspicious links contained within emails.

Telecom announced last Friday it is continuing to offer its Yahoo! Xtra email service with Yahoo! as our email provider, after receiving strong feedback from customers around the high value they place on the service, and obtaining a commitment from Yahoo! to work with Telecom to improve the customer experience and respond to security issues.

kiwigeek1

637 posts

Ultimate Geek
Inactive user

#797314 10-Apr-2013 18:42

still that may fix the hacked accounts and ones used for spamming but still hasnt fixed the pop/imap
auth error which clears for 5 minute after webmail login :)

but for now I can live with it.. forwarding to gmail no doubt it a months time it mysteriously fix itself

jeffnz

2870 posts

Uber Geek

Trusted

Lifetime subscriber

#797319 10-Apr-2013 18:46

what I received after a phone call, all very efficient, suitably impressed

"Secure Email – Telecom Xtra Security Team, TT#

Discussion Thread
Our Response Via Email (Sophia N) 10/04/2013 10:29
Good Morning Mr.
As per our conversation over the phone, We have been notified by Yahoo! that your Xtra Email account maybe compromised (e.g. sending out Spam).
In order to find out where the source of this is coming from, we require the following information:
When was the last time you had or attempted to log into webmail?
What is your current Xtra Email Password?
When was the last time your email password was changed?
We also require the following -
Login into: [url removed]
Provide the last 5 login attempts, including date, time and country.
If at all possible, please provide the full email headers for any suspicious emails that appear in your inbox.
To get email headers, please see the following links:
Webmail: http://telecom.custhelp.com/app/answers/detail/a_id/4019
Email Client: [url removed]
Once you have provided this information, please follow the link below to change your password to secure the email account: [url removed]
Thank you for your time and assistance
Kind regards,
Sophia

---------------------------------------
Complex Technical Support
Telecom New Zealand Limited
--------------------------------------- "

Galaxy S10

Garmin Fenix 5

Tradepub

Free professional, reference and technical white papers (affiliate link).

jeffnz

2870 posts

Uber Geek

Trusted

Lifetime subscriber

#797320 10-Apr-2013 18:47

kiwigeek1: still that may fix the hacked accounts and ones used for spamming but still hasnt fixed the pop/imap
auth error which clears for 5 minute after webmail login :)

but for now I can live with it.. forwarding to gmail no doubt it a months time it mysteriously fix itself

mine has been fine so haven't forwarded to gmail as of yet

Galaxy S10

Garmin Fenix 5

lestag

100 posts

Master Geek

#797723 11-Apr-2013 12:33

The problem is right across yahoo mail servers. From BTInternet.com (yahoo hosts BT mail) to yahoo.com itself

I have been receiving spam from user accounts at BTinternet.com and yahoo.com for the past month or so. oh and xtra.co.nz...

I think people need to check that they are not using "remember me" when logging to a yahoo service

1080p

1332 posts

Uber Geek
Inactive user

#797977 11-Apr-2013 19:06

Haha! How is this still an issue? I don't see Google Mail or Microsoft Live being repeatedly breached on a massive scale...

sonyxperiageek

2959 posts

Uber Geek

Trusted

#797989 11-Apr-2013 19:22

I just got a message from a Yahoo account (one of my friends) and the suspicious link is something like "seracoustic". That was part of the link I got...

Sony

freitasm

BDFL - Memuneh
79283 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#798210 12-Apr-2013 08:43

Telecom urges customers to solve Yahoo!Xtra issues by not using Yahoo!Xtra

And yes that is a parody web site...

old3eyes

9120 posts

Uber Geek

Subscriber

#798359 12-Apr-2013 12:54

freitasm: Telecom urges customers to solve Yahoo!Xtra issues by not using Yahoo!Xtra

And yes that is a parody web site...

There's some truth in that article..

Regards,

Old3eyes

kiwigeek1

637 posts

Ultimate Geek
Inactive user

#798440 12-Apr-2013 14:41

after reading article..
alas though I never did anything wrong,and have high security as well.. pop3/imap just stopped working no changes no pwd changes even but it always worked prior to the first spamming that happened

and I dont believe some of the spammed accounts were due to dummy users and lack of security

I believe the accounts got hacked.. and I think mine is still being brute forced but since I have a complex
password it will take them much longer

also cos pop3 is block after 5min of unfreezing it by logging in via the webpage will be protecting it
from the bruteforce hack going on if theres one..

forwarding the email to gmail is the only solutuon to me

our accounts so far havent been hacked.. cos we dont use dictionary words and just numbers

Oblivian

7297 posts

Uber Geek

ID Verified

#798463 12-Apr-2013 15:35

It certainly sniffs of the cause being either new accounts only, or easy PW brute/dictionary attack. But possibly not given my account(s)

Mine is a complex alphanumeric. It was a 'temporary' account PW given via a random generator at the front desk of CyberXpress (anyone remember them!) when I signed up. And its stuck to date since its one I could remember from using it frequently enough.

So my account so far is either Complex and random enough its not been touched. Or its due to the account being there for the past 15 or so years or pre-yahoo outsource.

However.. My yahoo.com.au group signup account.. is another story. Not common dictionary standard word with replaced numeric chars. And it got accessed from some random server in the original attack.

Tip for family with issues comming up with complex passwords.. print out their favourite song. (or kids nursery rhyme) use the first letters of each word in a verse, and replace with numerics as you see fit.

That wat its easy-ish to remember. And in your face without anyone realising.

IE..

Humpty dumpty sat on a wall, humpty dumpty had a great fall

Would become Hd5oawhdha6f or similar.

1 | 2 | 3 | 4 | 5 | 6 | 7