Technician’s Blog

BT exposes customers Yahoo email account details

BT exposes customers Yahoo! email account details

BT exposes customers Yahoo! email account details: Whistleblower squeals over alleged email fail

By Kelly Fiveash | The Register

BT is being investigated by the UK’s data regulator after a whistleblower exposed evidence that allegedly showed the one-time national telco’s customer email accounts were being compromised by spammers, The Register has learned.

In May last year, BT unceremoniously ditched Yahoo! Mail in favour of a white label product from San Mateo, California-based Critical Path Inc.

At the time, Britain’s largest ISP explained that it was “always looking for ways to improve and develop products and services”, while Critical Path chimed in by adding that it was offering a “flexible and consistent experience across … devices”, and added that the deal included “email antivirus/anti-spam security services.”

In December last year, an employee of Critical Path Inc – which was bought by Openwave Messaging in late 2013 – blew the whistle on the company by claiming to the UK’s Information Commissioner’s Office that a series of data gaffes had occurred that affected BT’s customers.

According to confidential documents seen by The Register, the whistleblower warned the watchdog that Critical Path Inc was running what he described as a chaotic mail system for BT that, he claimed, may have flouted Britain’s data rules.

Our source alleged:
Critical Path was running a set-up during migration that exposed user credentials en masse as login proxies connected via load balancers to Yahoo!, with only traffic between load balancers and Yahoo! being encrypted and the rest circulating around the infrastructure in clear text.

Among other things, it has been alleged that user IDs and passwords of BT subscribers were logged by the messaging provider. The whistleblower said he was concerned by what he claimed to be the “careless implementation of security safeguards affecting the privacy of BT internet mail users.”

Meanwhile, the ICO has been investigating the allegations to determine whether a violation of the UK’s data laws has taken place. It has also been mulling over BT’s culpability in the case.

[...]

Read the full article at theregister.co.uk