When Marissa Mayer took over as chief executive of the flailing company in mid-2012, security was one of many problems she inherited. With so many competing priorities, she emphasized creating a cleaner look for services like Yahoo Mail and developing new products over making security improvements, the Yahoo employees said.
The “Paranoids,” the internal name for Yahoo’s security team, often clashed with other parts of the business over security costs. And their requests were often overridden because of concerns that the inconvenience of added protection would make people stop using the company’s products.
But Yahoo’s choices had consequences, resulting in a series of embarrassing security failures over the last four years. Last week, the company disclosed that hackers backed by what it believed was an unnamed foreign government stole the credentials of 500 million users in a breach that went undetected for two years. It was the biggest known intrusion into one company’s network, and the episode is now under investigation by both Yahoo and the Federal Bureau of Investigation…
But in matters of security, Ms. Mayer, current and former employees said, was far more reactive…
In 2013, disclosures by Edward J. Snowden, the former National Security Agency contractor, showed that Yahoo was a frequent target for nation-state spies. Yet it took a full year after Mr. Snowden’s initial disclosures for Yahoo to hire a new chief information security officer, Alex Stamos.
Jeff Bonforte, the Yahoo senior vice president who oversees its email and messaging services, said in an interview last December that Mr. Stamos and his team had pressed for Yahoo to adopt end-to-end encryption for everything. Such encryption would mean that only the parties in a conversation could see what was being said, with even Yahoo unable to read it.
Mr. Bonforte said he resisted the request because it would have hurt Yahoo’s ability to index and search message data to provide new user services. “I’m not particularly thrilled with building an apartment building which has the biggest bars on every window,” he said.
But when it came time to commit meaningful dollars to improve Yahoo’s security infrastructure, Ms. Mayer repeatedly clashed with Mr. Stamos, according to the current and former employees. She denied Yahoo’s security team financial resources and put off proactive security defenses, including intrusion-detection mechanisms for Yahoo’s production systems. Over the last few years, employees say, the Paranoids have been routinely hired away by competitors like Apple, Facebook and Google.
Mr. Stamos, who departed Yahoo for Facebook last year, declined to comment. But during his tenure, Ms. Mayer also rejected the most basic security measure of all: an automatic reset of all user passwords, a step security experts consider standard after a breach. Employees say the move was rejected by Ms. Mayer’s team for fear that even something as simple as a password change would drive Yahoo’s shrinking email users to other services.
By the way, “Yahoo’s ability to index and search message data to provide new user services” means targeted ads. But it gets worse–if Yahoo were ever forced to make users whole (STOP LAUGHING! STOP LAUGHING NOW!), it would wipe out the entire value of the company (boldface mine):
Security experts say the breach could bring about class-action lawsuits, in addition to other costs. An annual report by the Ponemon Institute in July found that the costs to remediate a data breach is $221 per stolen record. Added up, that would top Yahoo’s $4.8 billion sale price.
Of course, when Yahoo is finally sold, she’ll still make off like a bandit.