The New York Times has published a story quoting unnamed Yahoo insiders, and it doesn’t paint a pretty picture of the firm’s security priorities.
There’s lot to ponder in the article, but one thing that sprung out to me was a section which described how CEO Marissa Mayer clashed with Yahoo CISO Alex Stamos (who left to become Facebook’s security chief in mid-2015, in a move widely applauded by the infosec community).
But when it came time to commit meaningful dollars to improve Yahoo’s security infrastructure, Ms. Mayer repeatedly clashed with Mr. Stamos, according to the current and former employees. She denied Yahoo’s security team financial resources and put off proactive security defenses, including intrusion-detection mechanisms for Yahoo’s production systems. Over the last few years, employees say, the Paranoids have been routinely hired away by competitors like Apple, Facebook and Google.
Mr. Stamos, who departed Yahoo for Facebook last year, declined to comment. But during his tenure, Ms. Mayer also rejected the most basic security measure of all: an automatic reset of all user passwords, a step security experts consider standard after a breach. Employees say the move was rejected by Ms. Mayer’s team for fear that even something as simple as a password change would drive Yahoo’s shrinking email users to other services.
In 2009, Yahoo is believed to have been one of the many tech firms (including Google who famously went public about it) who suffered a sophisticated attack from Chinese hackers dubbed “Operation Aurora”.
In 2012, 450,000 Yahoo email addresses and passwords were stolen by hackers after the company’s sloppy security was exposed.
In 2013, NSA whistleblower Edward Snowden revealed how the NSA and GCHQ had exploited Yahoo’s systems, and were capable of intercepting users’ messages as they travelled between the company’s network of data centers.
Meanwhile, Yahoo was being pretty dumb - what with its moronic recycled email address scheme, Marissa Mayer not bothering to have a passcode on her smartphone, and Yahoo rewarding vulnerability researchers who found a serious bug that could lead to account compromise a pathetic $12.50 t-shirt.
The only silver lining was that Yahoo finally decided to switch on HTTPS by default in January 2014, although it was shockingly late to that particular party.
As we were to learn last week, however, there was more trouble just around the corner.
In late 2014, as we now know, half a billion account details were stolen after a massive security breach that the company is blaming on a state-sponsored attack.
In 2016, Yahoo is trying to sell itself to Verizon for $4.8 billion.
I wonder if Marissa Mayer wishes now that she had told Yahoo’s security team to reset all users’ passwords back then.
Companies either get security or they don’t. If the New York Times story is to be taken at face value, it’s beginning to sound like the problem with security not being treated as a priority at Yahoo was coming from the very top.