A new report by The New York Times reveals the extent to which Yahoo didn’t really care about its user’s security, instead focusing on products and new features.
Last week, Yahoo admitted that hackers had breached its servers in 2014, stealing the personal details of over 500 million Yahoo users. It’s the largest hack ever executed on one single company. According to the Times, Yahoo executives, led by CEO Marissa Mayer, were completely apathetic about security, and refused to fund security initiatives, leaving the company vulnerable to attack.
After Edward Snowden revealed that Yahoo was an easy target for hackers, it took the company a year hire a new chief information officer. This is typically a prestigious and coveted position at companies like Google, Microsoft, or Facebook, and it seems that Yahoo didn’t take the search seriously enough. To its credit, Yahoo was able to hire Alex Stamos, a widely respected expert. Unfortunately, the company couldn’t keep him around for long.
The Times suggests Stamos departed in part due to clashes with Marissa Mayer.
But when it came time to commit meaningful dollars to improve Yahoo’s security infrastructure, Ms. Mayer repeatedly clashed with Mr. Stamos, according to the current and former employees. She denied Yahoo’s security team financial resources and put off proactive security defenses, including intrusion-detection mechanisms for Yahoo’s production systems. Over the last few years, employees say, [members of Yahoo’s security team] have been routinely hired away by competitors like Apple, Facebook and Google.
But during his tenure, Ms. Mayer also rejected the most basic security measure of all: an automatic reset of all user passwords, a step security experts consider standard after a breach. Employees say the move was rejected by Ms. Mayer’s team for fear that even something as simple as a password change would drive Yahoo’s shrinking email users to other services.
These revelations only add to Mayer’s reputation as a failed and embattled CEO who ultimately ran Yahoo into the ground. But the indifference towards protecting the personal data of Yahoo users didn’t stop at Mayer:
Jeff Bonforte, the Yahoo senior vice president who oversees its email and messaging services, said in an interview last December that Mr. Stamos and his team had pressed for Yahoo to adopt end-to-end encryption for everything. Such encryption would mean that only the parties in a conversation could see what was being said, with even Yahoo unable to read it.
Mr. Bonforte said he resisted the request because it would have hurt Yahoo’s ability to index and search message data to provide new user services. “I’m not particularly thrilled with building an apartment building which has the biggest bars on every window,” he said.
Adding end-to-end encryption may not have prevented hackers from breaching Yahoo’s servers, but it certainly would have protected its users from government surveillance and hackers. Yahoo competitors, like Google and Facebook, have rolled out strong end-to-end encryption on their products.
Unfortunately for Yahoo and its users, once hackers have already snatched the personal information of 500 million users, there’s no way to fix it. If you’re a Yahoo user, these revelations probably don’t do much to make you feel like your personal information is secure on Yahoo’s servers. That’s because it probably isn’t.