Xtra users at risk from massive Yahoo hack
Spark warns clients after 500m accounts at US email provider breached
Telco Spark was last night contacting Xtra customers whose account security may have been compromised after hackers accessed hundreds of millions of Yahoo accounts.
Yahoo confirmed the breach in an announcement yesterday, saying computer hackers swiped personal information from at least 500 million accounts in what is believed to be the biggest digital break- in at an email provider.
United States- based Yahoo is the current provider of the Xtra email service, though the New Zealand telco is moving to another service.
Yahoo said information from some of Spark’s Xtra customers was included in the data attack, which occurred in late 2014.
Spark spokeswoman Michelle Baguley said the telco was working closely with Yahoo to identify customers who might have been affected.
Yahoo had no evidence that the stolen passwords or security questions and answers were used to gain unauthorised access to Spark accounts.
The hacked account information may have included names, email addresses, telephone numbers, dates of birth, and hashed passwords and, in some cases, encrypted or unencrypted security questions and answers.
Yahoo’s investigation suggests that information did not include unprotected passwords.
“Spark will be communicating directly with customers who we believe may have been impacted as soon as we have more information,” Baguley said.
“We would like to remind all customers to change their password and security questions for their Xtra account and any other account on which you used the same or similar information.”
Spark advised all Xtra users to regularly update their account settings with a strong, difficult- to- predict password.
Baguley said Xtra customers who had not changed their password or security questions since 2014, or were unsure if they had, should do so on the Spark website using the link www. spark. co. nz/ changepassword.
The company was in the process of preparing to move all of its email systems back home to New Zealand, she said.
Yahoo did not explain the delay in uncovering a data theft that it blamed on a “state- sponsored actor”, official parlance for a hacker who i s working on behalf of a foreign government.
Yahoo began investigating a possible breach in July, about the time the tech site Motherboard reported that a hacker who uses the name “Peace” was trying to sell account information belonging to 200m Yahoo users.
Yahoo did not find evidence of that reported hack, but additional digging later uncovered a far larger, allegedly state- sponsored attack.
Michelle Baguley, Spark spokeswoman