Marissa Mayer declined to reset Yahoo users’ passwords 2 years ago


On Tuesday, US senators sent a letter to Marissa Mayer, asking the Yahoo CEO for details on the recently discovered breach of at least half a billion accounts.

Some of the questions from that letter: How did such a large-scale breach go unnoticed for 2 years? What’s Yahoo doing to prevent future breaches? Has Yahoo changed its security protocols? If so, how?

Perhaps a better question would have been: What hasn’t Yahoo done to build a secure environment?

As the New York Times reported on Wednesday, when it comes to security, you reap what you sow, but Yahoo hasn’t sprinkled many seeds over the years.

The newspaper spoke about the company’s security with half a dozen current and former Yahoo employees, under the condition of anonymity.

As they described it, since Mayer took over the flailing company in 2012, Yahoo’s security team has persistently requested more money for security initiatives.

But those requests have been repeatedly turned down in favor of other priorities, such as new products and a cleaner look for Yahoo Mail.

What’s more, the desire to stem the steady loss of users has meant that Mayer and other top brass have been loathe to implement security changes that could disgruntle any more users.

Yahoo’s failures to proactively act on security:

Bug bounty program. Yahoo didn’t pay out its first bug bounty until 2013. And even that one – $12.50 in company store credit – was, shall we say, a tad underwhelming.

Compare that with Google, which announced its own bug bounty program 3 years earlier. Google not only ponied up decent sized payouts; it also instituted a Hall of Fame, to make sure researchers got the credit they deserve.

In that 3-year lag, Yahoo not only lost “countless” security engineers to competitors, the NYT reports, but also suffered a breach of more than 450,000 plaintext passwords from Yahoo Voices in 2012 and a series of “humiliating” spam attacks in 2013.

End-to-end encryption. Yahoo hired the highly respected Alex Stamos as CIO a year after the Edward Snowden revelations about pervasive surveillance.

Stamos and his security team – they were dubbed “The Paranoids” – urged Yahoo to adopt end-to-end encryption for everything, according to what Jeff Bonforte, the Yahoo senior vice president who oversees its email and messaging services, said in an interview last December.

That would have kept all conversations private for non-participants. Even Yahoo wouldn’t be able to read messages.

Such a move wouldn’t prevent breaches, but it would protect users’ communications from government surveillance and intruders’ snooping.

Bonforte didn’t like the idea. It would, after all, mean that Yahoo would have a tough time indexing and searching message data in order to provide new user services.

The publication quoted Bonaforte from that interview:

I’m not particularly thrilled with building an apartment building which has the biggest bars on every window.

In contrast, Yahoo competitors including Google and Facebook have rolled out strong end-to-end encryption on their products.

Stamos went on to leave Yahoo and become chief security officer at Facebook in June 2015.

The NYT suggests it was head-butting with Mayer that drove him out:

When it came time to commit meaningful dollars to improve Yahoo’s security infrastructure, Ms. Mayer repeatedly clashed with Mr. Stamos, according to the current and former employees.

She denied Yahoo’s security team financial resources and put off proactive security defenses, including intrusion-detection mechanisms for Yahoo’s production systems. Over the last few years, employees say, [members of Yahoo’s security team] have been routinely hired away by competitors like Apple, Facebook and Google.

The worst security failing of all. One of the most serious security thumbs-downs Mayer issued: a rejection of automatic reset of all user passwords following a security breach.

From the NYT:

Employees say the move was rejected by Ms. Mayer’s team for fear that even something as simple as a password change would drive Yahoo’s shrinking email users to other services.

Some resist the notion that users should be forced to change their passwords periodically. The thinking: it forces users to come up with easy to remember and easy to predict progressions, such as StupidPassword#1, StupidPassword#2, etc. Plus, why change a password that’s already strong?

But automatic password reset would mean that all the passwords that only recently spilled out, even though their breaches happened years ago, would be useless.

That includes the 164 million LinkedIn passwords from a 2012 breach and the 427 million passwords exposed from a past, unreported breach of MySpace.

Some businesses foist automated password resets on users periodically, as a type of prophylactic. The approach has its pluses and minuses.

But as far as automated password reset following breaches goes, why wouldn’t a company want to force users to lose their no-longer-secret credentials?

From what the Yahoo insiders told the NYT, the reason boils down to something along the lines of “because a few more users might fume and jump ship.”

Yahoo certainly isn’t the only business where security staff has had to fight for budget, that’s for sure.

Readers, what do you think: Does knowing any of Yahoo’s security failings help?

After all, the knowledge isn’t going to help Yahoo users get their information back from the crooks who snatched it.

Let us know your thoughts in the comments section below.