Yahoo Didn’t Make Security a Priority According to Insiders

The New York Times published an interesting piece on the Yahoo breach.  The Times says that 6 years ago Yahoo, Google and a number of other tech companies were hacked by the Chinese.

That is where the similarity ends, according to the Times.

At Google, co-founder Sergey Brin took the hack personally.  Google hired hundreds of security engineers, using 6 figure signing bonuses as incentives.  Google invested hundreds of millions of dollars.

Yahoo, on the other hand didn’t do that.  They did not invest in the same kinds of people and tech that Google did.

Marissa Mayer was more interested in creating a pretty user interface than a secure company.

I still remember an interview with Mayer where she was asked about using a PIN on her phone.  She said that would be inconvenient.  That’s not inconvenient.  Inconvenient is when you are hacked to the tune of 500 million user accounts.  That is quite inconvenient for your users.

Yahoo also has a security team.  They are known as “The Paranoids”.  I often refer to myself as paranoid – that goes  back to my days as the security guy at a large defense contractor, but I am not sure that the Yahoo Paranoids was a positive appellation.

The Times said that The Paranoids often clashed with Yahoo execs over costs of security features and the impact of the security on usability for Yahoo’s customers.  Apparently, Google’s customers are more understanding.

A Yahoo spokesperson said that the company spent $10 million on encryption technology in 2014.  For a company being sold for almost $5 billion, $10 million is a drop in the bucket.  She also said that their investment in security increased by 60 percent between 2015 and 2016.  They probably needed to increase it by 600 percent instead.  She did not say how much they spent.

Also, Yahoo played all of their breaches – likely at least four of them – very close to the vest. They didn’t admit, until now, two of the breaches – one with 200 million users and the other with 500 million users.  Yahoo says these breaches are NOT the same.

After the breach in 2010 Google started paying bug bounties to researchers to find bugs and holes.  Yahoo eventually did that, but not until three years later.

Even after Edward Snowden told the world that Yahoo was a frequent target of foreign nation spies, they still didn’t hire a new Chief Information Security Officer for a year.

Yahoo also resisted implementing end to end encryption because it would get in the way of them reading your mail to offer certain services.

While The Paranoids were passionate about their work, that didn’t translate into increased budget and respect.  Many of them left Yahoo for other companies.

Whether Congress, the SEC, numerous shareholder lawsuits and the risk of the Verizon buyout blowing up will get their attention or not is unclear.  Hopefully, it will.

Information for this post came from the New York Times.

by