Thanks for the extra, but not to Xtra

(This is the Online column, written for The Southland Times)

It’s bad enough that so many Xtra email addresses have been compromised but the fact that Yahoo, the company responsible for managing that email system, won’t even give an answer on how many accounts is nothing short of arrogant.

If you have an email address of any description, it’s likely you have been affected in some way by the Xtra email dramas: either your email has been hacked or your address spoofed. I have suffered the latter fate and I’m not happy. And there isn’t a thing I can do about it.

This whole sorry saga began at least a year ago, when hackers managed to get their grubby paws on the login details for 87,000 of Xtra’s 450,000 email accounts. Yahoo has been running the email service for seven years and while it has never officially explained what went wrong, those a tad more tech-savvy than me reckon is was a cross-site scripting attack that targeted a security flaw in a piece of blogging software used by some Yahoo geeks. Everyone thought the problem was fixed but the ongoing problems would seem to indicate that our email addresses are still in the firing line.

I’ve had phonecalls from friends and colleagues who thought my email had been hacked because they had received messages from me with odd links but while I’ve actually managed to avoid the whole being hacked part of the equation, I have still been affected. How? I’m being spoofed.

It looks like the hackers copied the address books or took the email addresses from messages Xtra users had sent and they are now spoofing those addresses in the emails: the from line might say it’s from me but it isn’t. It just looks that way.

This is worse than being hacked because it means that no matter how carefully you secure your email account, how good your security software is, no matter how careful you are, you cannot stop your address being spoofed.

The only way around it is to change your email address and if – like me – you have had your address for a couple of decades, changing it is a bit of a nightmare.

Sure, I have the obligatory Hotmail address, and Gmail. I even have one tied to my website domain.

However, my main email address is that little beastie and I’m peeved that it’s now out there in the big, bad web being exploited.

Telecom must be a bit worried about losing customers because I got a nice wee note from them this week telling me they had added a further 10GB to my current web plan at no extra cost.

That’s all very nice, Telecom, but I’d rather you hadn’t given ownership of your Xtra email to a company that seems to have no interest in offering any sort of explanation to its customers.

So that’s a thank you to Telecom but a “shame on you” to Yahoo.

Leave a Reply