Telecom could ditch 'awful' email provider, says user group

Mr Matthews said Yahoo! could simply have kept their software up to date on web servers, but did not. Photo / Thinkstock

Telecom is reviewing its email service with Yahoo! in the wake of a hacking scandal but an IT expert says they could ditch the American giant and move on.

Telecom chief executive Simon Moutter is understood to have spoken to Yahoo's global chief executive this week, expressing disappointment on behalf of his 450,000 customers.

Moutter himself was one of 87,000 Telecom internet users who were on the end of emails containing spam this month after the Yahoo! Xtra service was hacked by overseas criminals.

A Telecom spokeswoman said the contract with Yahoo! was not up for review and no other providers had been spoken to. But Telecom had reviewed its email service and could pass on costs as a result of the glitch.

Asked how Telecom rated Yahoo's performance, the spokeswoman said it had "robust systems in place to minimise the risk of spam entering customers accounts".

But Paul Brislen of Telecom Users Association NZ said Yahoo! had an "utterly awful" security record and equally bad customer service.

He sympathised with Telecom's plight and doubted they would renew their arrangement with Yahoo!, having outsourced their email service to the American giant in 2007.

"(Telecom) are in quite a tricky spot, yes it's their brand and their responsibility and at the end of the day your contract is with Telecom, not with Yahoo!," Mr Brislen said.

"They trusted (Yahoo!) to do a better job and have been dumped on by a big American company that probably can't find New Zealand on the map."

The breach follows another attack in July when hackers exploited a software vulnerability on a Yahoo! subdomain to steal 450,000 emails and passwords before releasing all of them publicly.

The hackers then posted a message online aimed at Yahoo! saying the hack was a "wake-up call".

But in November an Egyptian hacker known as "The Hell" found Yahoo! had failed to keep its blog software, used on another part of its website, up to date.

The Hell created a hack and sold it on an exclusive cybercrime forum for US$700 ($835).

This hack led to the spam attack on the Telecom users.

Paul Matthews, chief executive of the Institute of IT Professionals NZ, said the vulnerability allowed a third-party website to steal a login record on Telecom users' computers (stored in a browser cookie) then gain access to their email accounts.

The vulnerability had been a different one to that of last July but was due to another oversight.

Mr Matthews said Yahoo! could simply have kept their software up to date on web servers, but did not.

"This is security 101 and it's really unforgivable to have software that hasn't been patched for at least nine months on a major site like Yahoo!, exposing users to these types of vulnerabilities."

He said many major technology companies had a "Bug Bounty" programme in place where if people reported security glitches they were paid out in cash, depending on the level of vulnerability - but he doubted if Yahoo! had invested in this either.

Mr Matthews said a lack of disclosure about the exact vulnerability, how it was dealt with, what information was at risk and what was done about it was "a big concern".

Netsafe director Martin Cocker said outsourcing email to another country provided Telecom with "additional challenges" but he stopped short of saying they should get rid of Yahoo!.