130,000 Xtra email addresses ‘at risk’
Spark says information from 130,000 Xtra email addresses is ‘‘at risk’’ as a result of a massive hack on Yahoo in 2014 that only came to light last week.
Privacy Commissioner John Edwards praised Spark but questioned Yahoo’s response and said the hack showed the need for a New Zealand law to force companies to own up to data breaches.
Yahoo said last week that 500 million email customers had information stolen in the attack which it believed had the backing of a foreign government.
The attack also affected Spark customers as it outsourced its Xtra email service to Yahoo in 2007.
Spark said about 15 per cent of its 825,000 Xtra email addresses were at risk.
The information stolen from Yahoo includes unencrypted questions and answers to security questions that could be used to reset account passwords.
These are commonly answers to questions such as a pet’s name or the name of people’s first school or car.
The leak of that information could cause customers’ other online services to be hijacked, in cases where they had supplied the same information.
Spark spokeswoman Michelle Baguley said it would be asking affected customers to immediately change their passwords, if they hadn’t already.
At least the majority of impacted Xtra customers had not had unencrypted security questions and answers stolen, although there might be scenarios in which it had been, she said.
Yahoo had told Spark it had no evi- dence that the stolen information had been used to gain unauthorised access to Spark accounts – meaning their actual emails – she said.
Edwards said he was monitoring the Yahoo hack. He did not believe it was acceptable that security questions and answers were stored unencrypted by Yahoo and he expected that would be an issue privacy investigators in the United States and Ireland would look into.
‘‘We will be following those investigations closely on behalf of New Zealanders.’’
The problem with such information was that, unlike passwords, it could often not be changed, he agreed.
‘‘Your mother’s maiden name remains your mother’s maiden name – there is nothing you can do to change that. These kinds of ‘prompts’ are not good enough any more I think.’’
Edwards said he was grateful that Spark quickly alerted his office and immediately began taking action.
‘‘The fact that Yahoo may have known about the breach for a number of months before alerting the public shows why we need mandatory breach notification.’’
The Government signalled in 2012 that it intended to introduce a law that would force companies to promptly disclose serious data breaches but this has not yet been implemented.