As I type this, it is March 27th and there’s still no resolution to the issues that Rogers has with their email offering. For those of you who are new to this, let me recap the sequence of events that has ben ongoing for almost the last month:
It started as a general outage, but what has dragged on for weeks is an issue with email. Anyone who uses Rogers email service (in other words they have a @Rogers.com address) cannot get their email. This is in part due to the fact that Rogers requires users to create App Specific Passwords via Rogers Member Center on each program or device that an email address is used on. The creation of new app specific passwords doesn’t work and existing app specific passwords appear to have been deleted in many cases. That pretty much breaks your applications that rely on them. There is a workaround, but that workaround is sub-optimal because viewing mail through a web browser is not the best experience. Especially on a smart phone. And they’re the fact that you might have to call Rogers to get someone to reset your email password if you don’t know what it is. The problem with that is that since this fiasco began, Rogers wait times to speak to someone have gone through the roof. Making that a sub-optimal experience as well for Rogers customers.
Now I’ve been asking my sources inside Rogers about this whole fiasco, and they’ve told me on background that this is entirely a Rogers issue that they have yet to figure out. Specifically with the underpinnings of their App Specific Password system which is bolted onto their email service which is provided by Yahoo. I’ll have more on Yahoo in a moment. But you’re likely wondering why Rogers uses App Specific Passwords in their email offering. Here’s the answer: Security.
If a threat actor manages to get your password, and that same password is used on all the mail clients that you use, the threat actor in theory has access to your email on any device. That would be the case with the majority of email systems out there. But by using App Specific Passwords, where every email client and/or device has a unique password, any sort of pwnage that a threat actor does is limited to the one device or application. At least in theory.
Sidebar: One of the ways that you can best protect yourself online is to use completely different password for each and every service that you use as that follows the logic that Rogers is using here.
My problem with this App Specific Password scheme by Rogers is that it adds a layer of complexity that most users have problems dealing with as going to the Rogers Members Center and generating a password to use with your email client and/or of choice is easy for someone like me, but complex for many of Rogers customers. And I have to admit, I do make a fair amount of money from this because I often get phone calls for help when a customer gets a new laptop or smartphone, and they want to get their email on it. In short,Rogers implementation of App Specific Passwords isn’t something that some Rogers customers can easily understand. If Rogers wanted to improve the security of their email service, my suggestion would be to enforce the use of complex passwords. For example, “password” is less secure than “P@$$w0rd” because the latter has special characters, a number and a capitalized letter that make the password harder for a threat actor to brute force or guess. I also assume that this would be easier for Rogers to implement, less likely to run into the issues that we’ve been seeing for the last month, and most importantly it would be secure.
Now if that’s not bad enough, there’s also the fact that the underpinnings of Rogers mail service is Yahoo. A company who doesn’t exactly have the best track record when it comes to privacy and security. And I suspect the latter is the reason why Rogers decided to bolt on App Specific Passwords to what Yahoo offers. In terms of the former, Rogers themselves got caught up a change to Yahoo’s terms of service back in 2018 where Yahoo had tried to give themselves the right to do whatever they wanted with your email. While Yahoo did eventually walk that back for Canadians, it didn’t end well for Rogers as it left a bad taste in the mouths of a lot of their customers.
Now I am continuing to monitor this as I now have over three dozen clients who are affected by this… And counting. And I am continuing to publish updates on this because somebody needs to bring this issue and Rogers continued silence on this problem to light. Plus since you can’t forward your email to another provider, or export it entirely so that you have a local copy of it, Rogers email users are stuck with Rogers until they figure out how to fix this. Though I will admit to working on a way to export Rogers email so that my clients who want to dump Rogers for another ISP, but want a copy of their email have an option to accomplish that. If I get something that is workable on Mac and PC, I will publish it here. In the meantime, for the sake of Rogers customers, I hope that one of Canada’s largest telcos gets its act together and figures this out. Because as I type this, Rogers has handled this whole situation quite poorly. Which frankly isn’t a surprise given their recent track record with how they handle major outages.