Yahoo put security on back burner
Insiders criticize CEO for prioritizing products over protection against hackers
SAN FRANCISCO — Six years ago, Yahoo’s computer systems and customer email accounts were penetrated by Chinese military hackers. Google and a number of other technology companies were also hit.
Google co-founder Sergey Brin regarded the attack on his company’s systems as a personal affront and responded by making security a top corporate priority. Google hired hundreds of security engineers with six-figure signing bonuses, invested hundreds of millions of dollars in security infrastructure and adopted a new internal motto, “Never again,” to signal that it would never again allow anyone to hack into Google customers’ accounts.
Yahoo, on the other hand, was slower to invest in the kinds of defences necessary to thwart sophisticated hackers that are now considered standard in Silicon Valley, according to half a dozen current and former company employees who participated in security discussions but agreed to describe them only on the condition of anonymity.
When Marissa Mayer took over as chief executive in mid-2012, security was one of many problems she inherited. With so many competing priorities, she emphasized creating a cleaner look for services such as Yahoo Mail and developing new products over making security improvements, the Yahoo employees said.
The “Paranoids,” the internal name for Yahoo’s security team, often clashed with other parts of the business over security costs. And their requests were often overridden because of concerns that the inconvenience of added protection would make people stop using the company’s products.
But Yahoo’s choices had consequences, resulting in a series of embarrassing security failures over the past four years. Last month, the company disclosed that hackers, backed by what it believed was an unnamed foreign government, stole the credentials of 500 million users in a breach that went undetected for two years. It was the biggest known intrusion into one company’s network, and the episode is now under investigation by both Yahoo and the FBI.
Certainly, many big companies have struggled with cyberattacks in recent years. But Yahoo’s security efforts appear to have fallen short, in particular, when compared with those of banks and other big tech companies.
To make computer systems more secure, a company often has to make its products slower and more difficult to use. It was a trade-off Yahoo was often unwilling to make.
In defence of Yahoo’s security, a company spokeswoman, Suzanne Philion, said that the company spent $10 million (U.S.) on encryption technology in early 2014, and that its investment in security initiatives will have increased by 60 per cent from 2015 to 2016.
The breach disclosed last week is the latest stumble for Mayer, whose failed turnaround effort resulted in Yahoo’s agreement in July to sell its core operations to Verizon for $4.8 billion. It is unclear whether the episode will affect the sale. Although Yahoo’s email users are its most loyal and frequent customers, the company has been losing market share in email for years.
“Yahoo is already suffering. I don’t think they’ll suffer more because of this,” said Avivah Litan, a security analyst with research firm Gartner.
In 2013, disclosures by Edward Snowden, the former National Security Agency contractor, showed Yahoo was a frequent target for nationstate spies. Yet it took a full year after Snowden’s initial disclosures for Yahoo to hire a new chief information security officer, Alex Stamos.
Jeff Bonforte, a Yahoo senior vicepresident who oversees its email and messaging services, said in an interview in December that Stamos and his team had pressed Yahoo to adopt end-to-end encryption for everything. Such encryption would mean that only the parties in a conversation could see what was being said.
Bonforte said he resisted the request because it would have hurt Yahoo’s ability to index and search message data to provide new services.
“I’m not particularly thrilled with building an apartment building which has the biggest bars on every window,” he said.
The 2014 hiring of Stamos — who had a reputation for pushing for privacy and anti-surveillance measures — was widely hailed by the security community as a sign that Yahoo was prioritizing privacy and security.
The current and former employees say he inspired young engineers to develop more secure code, improve defences — including encrypting traffic between Yahoo’s data centres — hunt down criminal activity and successfully collaborate with other companies in sharing threat data.
He also dispatched “red teams” of employees to break into Yahoo’s systems and report what they found. At competitors such as Apple and Google, the Yahoo Paranoids developed a reputation for their passion and contributions to collaborative security projects, like Threat Exchange, a platform created by Yahoo, Dropbox, Facebook, Pinterest and others to share information on cyberthreats.
But when it came time to commit meaningful dollars to improve Yahoo’s security infrastructure, Mayer repeatedly clashed with Stamos, according to the current and former employees. She denied Yahoo’s security team financial resources and put off proactive security defences, including intrusion-detection mechanisms for Yahoo’s production systems.
Stamos, who departed Yahoo for Facebook last year, declined to comment. But during his tenure, Mayer also rejected the most basic security measure of all: an automatic reset of all user passwords, a step security experts consider standard after a breach. Employees say the move was rejected by Mayer’s team for fear that even a simple password change would drive Yahoo’s email users to other services.
When it came time to commit meaningful dollars to improve security structure, Marissa Mayer denied Yahoo’s security team financial resources