HUGE security problem for HawaiianTel email accounts

I just discovered a HUGE security issue with HawaiianTel’s email system. Instead of keeping quiet I think disclosure is the best route so folks don’t get caught in this problem.

If you set-up sub-accounts for your HawaiianTel account (inov.hawaiiantel.net…) you can create extra email addresses for @hawaiiantel.net

sub-accounts
Selfcare option to reset the password of a sub-account

If you’ve forgotten the password for a sub-account you can hit a ‘reset password’ link in selfcare.

The password will be reset to ‘password’

sub-accounts-reset
Default recovery password is ‘password’

Yup, the weakest password you could ever ask for is forced upon the email sub-account. If that wasn’t bad enough once you log into the sub-account THERE’S NO WAY TO CHANGE THE PASSWORD. The password will be stuck as ‘password’ for the account. The webmail help menu says a password change option will show-up if you hit the ‘Settings’ menu but that option is missing. I’ve checked using both Mac and Windows.

Instructions on how to change your password
Instructions on how to change your email password
Setting screen with missing change password option
Settings screen without the change password option

I’ve checked all the sub-menus in the Settings preferences and there is no way to change the password, it’s stuck at ‘password’

I’ve sent in a trouble-ticket to HawaiianTel to let them know about this issue so hopefully they will get this fixed pronto. In the meantime I would refrain from resetting passwords via selfcare and if you’re using ‘password’ as your password for any account you should change it immediately anyway.

I don’t normally use my HawaiianTel email account but with a HawaiianTel email account you can log into their Wi-Fi hotspots for free at places like The Coffee Bean and Tea Leaf shops, I think Hilo Seaside Hotel has Skywave hotspots along with a few other places.

By the way, HawaiianTel if you’re reading this please update your Wi-Fi hotspots list.

UPDATE – SOLUTION

There’s a solution on how to change the password from the default ‘password’ for your @hawaiiantel.net email account.

  1. Go to selfcare at inov.hawaiiantel.net…
  2. Login with the email address and password for the account you want to update.
  3. Choose the Manage Your Account Information option as seen below.
  4. Change your password.
Choose 'Manage Your Account Information' to change your password.
Choose ‘Manage Your Account Information’ to change your password.

So ignore the help instructions built into their webmail system, selfcare is the only place you can change your password.

Technically HawaiianTel should create a CNAME Record (Canonical Name record) to redirect webmail.hawaiiantel…. and mail.hawaiiantel.net to selfcare which would steer folks to the account options. Of course they need to fix the Roundcube webmail system they’re using with the corrected options as noted in the help file or put the Change Password link in the sidebar where it’s supposed to be and link it to selfcare. Using a random generator when resetting passwords would be good too.

HawaiianTel’s response to my trouble ticket

Thank you for contacting the Hawaiian Telcom Support Center. We apologize for the inconvenience.

After you are in the master account and reset the password for the child or sub accounts, please log in to the child or sub accounts. To change your password, please go to www.hawaiiantel.net/ and click “Manage Hawaiian Telcom Services” at the top of the page and log in with your child or sub account email address and current password. Click “Manage Your Account Information” and type a New Password and Confirm Password and choose a different secret question and answer and click Save Mailbox Changes Go at the bottom. Also note that the password rules are on the side. The most common problem with creating a new password with our email system is it must start with a lower case letter.

If you have any other questions or concerns, please let us know.

UPDATE (10/20/15)

HawaiianTel has added a random character generator to the password reset function so the password will no longer be ‘password’. They also have a link to selfcare next to the newly generated reset password.

The webmail system itself still has erroneous help instructions telling users to go to Settings then Password to reset their password. That option still does not exist.

3 Replies to “HUGE security problem for HawaiianTel email accounts”

  1. Thank you for your insightful blog post, Baron. Security is important to us and we’re committed to continually improving our security measures. We’ve enhanced the password reset application to resolve this issue. Mahalo again for your feedback and support. Aloha, Rashae – Hawaiian Telcom

    1. Note that the ‘help’ menu built into the webmail system is still incorrect and erroneously instructs people to go to the Settings panel and a Password menu item that does not exist.

  2. I know this web-blog is 4 months old, but unfortunately I have had nothing but trouble with Hawaiiantel. Their tech specialists are not that knowledgeable and fail to follow up on problems. I live in Mililani and was one of the first to get fiber in my area. Was extremely interested in fiber because it is super reliable and fast. The first has proven to be true. The network has never gone down. However speed has been an issue from day 1. I have 20Mbit download speed. I have an old setup. My speed at the beginning was close to 20, but then about 3 weeks later slowed down when 1 of my ports failed to work. I was setup on port A and moving to port B fixed the problem. However it introduced another. My speed dropped to under 10 MBits. I didn’t notice for another reason, my connection to the Internet backbone is slow, slow, slow. I had download tests from UH and other Oahu locations of around 1-2MBits/sec. I did tell Hawaiiantel they needed to look into their connection into the Internet backbone (downloads from Congenital US and Europe) as they were extremely slow. However, I thought I would give them some time to get their system up and the bugs out. A year went by and I checked my local speed and discovered it was under 10Mbits. Hawaiiantel told me to check my system. I told them I am an engineer that works with networks and I know my system is good. They sent a technician out and I demonstrated that yes the connection out of their ONT was slow. The technician was surprised that I could hook straight in to the ONT without a router or any other hardware between the ONT and my MAC (Have PC’s too). I explained the history and the dead port on the ONT. He told me he would just replace the ONT with a desktop newer model. I told his, no. First lets just open the fiber connection and hook it into the new desktop ONT and see if the problem goes away. Nope, problem still existed. So this pointed to a big problem upstream for Hawaiiantel. We did get to the bottom of it. It turns out a server upgrade was done several months ago (at the time my port A stopped working) and they cancelled my port A service and left the port B service but they didn’t fully setup the server software. They never told me or anyone this had been done. The result was port A got 10Mbits and port B got 10Mbits and port A was disabled, so I got unto 10Mbits AND with port A still in the bitbucket my port B got typically less.

    OK so I got poor speed and was paying a promo price for over a year. But it doesn’t stop there. I recently got very upset because my 9.6GB .pdf files from IEEE were taking extremely long to download (40sec) calculation is speed = (9.6MB x 8b/B) / 40 sec = 1.92Mbits/sec. Yep, that is slow. Bad problem with their backbone connection to East Coast. So, I have Oceanic at my other residence. The cheap one 2Mbits/sec costing $14.95/month used to run cameras. I did a WiFi connection test and downloaded the same files. The results were mind boggling. The IEEE download took 21 sec for 9.6MB .pdf file two times faster that my 20MBit Hawaiiantel fiber connection. Another test file from ‘engineerhammad.blogs… took 207 sec on my Hawaiiantel fiber 20MBit connection and it took on Roadrunner 2Mbit connection exactly 36 sec. Hawaiiantel speed was 0.3864Mbits/sec Oceanic speed was 2Mbits/sec the throttled max of the connection.

    To top it off, Hawaiiantel just raised my fee for Phone and Internet $30 to $119/mo. You would have thought the guys at Hawaiiantel would have discovered the problem and tried to fix it. I suspect they are so overloaded with issues this one was ignored. All I can say, Hawaiiantel wakeup or Oceanic is going to eat you alive.

Leave a Reply

Your email address will not be published. Required fields are marked *