Skip to content
Naked Security Naked Security

Marissa Mayer declined to reset Yahoo users’ passwords 2 years ago

Insiders say that strong security measures were repeatedly rejected in favor of developing new services and not inconveniencing users.

On Tuesday, US senators sent a letter to Marissa Mayer, asking the Yahoo CEO for details on the recently discovered breach of at least half a billion accounts.

Some of the questions from that letter: How did such a large-scale breach go unnoticed for 2 years? What’s Yahoo doing to prevent future breaches? Has Yahoo changed its security protocols? If so, how?

Perhaps a better question would have been: What hasn’t Yahoo done to build a secure environment?

As the New York Times reported on Wednesday, when it comes to security, you reap what you sow, but Yahoo hasn’t sprinkled many seeds over the years.

The newspaper spoke about the company’s security with half a dozen current and former Yahoo employees, under the condition of anonymity.

As they described it, since Mayer took over the flailing company in 2012, Yahoo’s security team has persistently requested more money for security initiatives.

But those requests have been repeatedly turned down in favor of other priorities, such as new products and a cleaner look for Yahoo Mail.

What’s more, the desire to stem the steady loss of users has meant that Mayer and other top brass have been loathe to implement security changes that could disgruntle any more users.

Yahoo’s failures to proactively act on security:

Bug bounty program. Yahoo didn’t pay out its first bug bounty until 2013. And even that one – $12.50 in company store credit – was, shall we say, a tad underwhelming.

Compare that with Google, which announced its own bug bounty program 3 years earlier. Google not only ponied up decent sized payouts; it also instituted a Hall of Fame, to make sure researchers got the credit they deserve.

In that 3-year lag, Yahoo not only lost “countless” security engineers to competitors, the NYT reports, but also suffered a breach of more than 450,000 plaintext passwords from Yahoo Voices in 2012 and a series of “humiliating” spam attacks in 2013.

End-to-end encryption. Yahoo hired the highly respected Alex Stamos as CIO a year after the Edward Snowden revelations about pervasive surveillance.

Stamos and his security team – they were dubbed “The Paranoids” – urged Yahoo to adopt end-to-end encryption for everything, according to what Jeff Bonforte, the Yahoo senior vice president who oversees its email and messaging services, said in an interview last December.

That would have kept all conversations private for non-participants. Even Yahoo wouldn’t be able to read messages.

Such a move wouldn’t prevent breaches, but it would protect users’ communications from government surveillance and intruders’ snooping.

Bonforte didn’t like the idea. It would, after all, mean that Yahoo would have a tough time indexing and searching message data in order to provide new user services.

The publication quoted Bonaforte from that interview:

I’m not particularly thrilled with building an apartment building which has the biggest bars on every window.

In contrast, Yahoo competitors including Google and Facebook have rolled out strong end-to-end encryption on their products.

Stamos went on to leave Yahoo and become chief security officer at Facebook in June 2015.

The NYT suggests it was head-butting with Mayer that drove him out:

When it came time to commit meaningful dollars to improve Yahoo’s security infrastructure, Ms. Mayer repeatedly clashed with Mr. Stamos, according to the current and former employees.

She denied Yahoo’s security team financial resources and put off proactive security defenses, including intrusion-detection mechanisms for Yahoo’s production systems. Over the last few years, employees say, [members of Yahoo’s security team] have been routinely hired away by competitors like Apple, Facebook and Google.

The worst security failing of all. One of the most serious security thumbs-downs Mayer issued: a rejection of automatic reset of all user passwords following a security breach.

From the NYT:

Employees say the move was rejected by Ms. Mayer’s team for fear that even something as simple as a password change would drive Yahoo’s shrinking email users to other services.

Some resist the notion that users should be forced to change their passwords periodically. The thinking: it forces users to come up with easy to remember and easy to predict progressions, such as StupidPassword#1, StupidPassword#2, etc. Plus, why change a password that’s already strong?

But automatic password reset would mean that all the passwords that only recently spilled out, even though their breaches happened years ago, would be useless.

That includes the 164 million LinkedIn passwords from a 2012 breach and the 427 million passwords exposed from a past, unreported breach of MySpace.

Some businesses foist automated password resets on users periodically, as a type of prophylactic. The approach has its pluses and minuses.

But as far as automated password reset following breaches goes, why wouldn’t a company want to force users to lose their no-longer-secret credentials?

From what the Yahoo insiders told the NYT, the reason boils down to something along the lines of “because a few more users might fume and jump ship.”

Yahoo certainly isn’t the only business where security staff has had to fight for budget, that’s for sure.

Readers, what do you think: Does knowing any of Yahoo’s security failings help?

After all, the knowledge isn’t going to help Yahoo users get their information back from the crooks who snatched it.

Let us know your thoughts in the comments section below.

19 Comments

And Yahoo has still not set up a regular phone option to re-set passwords. The only choice for a temp code is alt e-mail address or text message do those without cell phones are stuck.

Yahoo logins can access other sites through OpenID, so an immediate request to change your password, along with a simple, well-penned explanation would have improved Yahoo’s reputation and might have even won them some new customers. They could easily explain, even if they didn’t have all the facts, that they suspect that their login information is compromised, and a password change is needed to make sure that you, the customer can be confident that your information will remain secure.
Yahoo had the opportunity to lead in the security space, but cowered to their immediate bottom line. Now they are forced to do the password reset anyway, and lose cache in the security space instead of gaining it, because of the corporate attention to the immediate bottom line at the expense of long-term bottom-line.
This is a clear view on the company’s priorities, and customers will jump ship in greater numbers to a company that will do better work to take care of the customer’s security needs.

Very well, said and maybe this should be the defacto security policy. Once there is a suspected intrusion and breach of data is possible, then there should be a system wide approach of changing internal and external passwords to include customer password reset notification with a small message as to why.

I’ve been a Yahoo Mail Plus subscriber since 1998. Their original email version was their best, the “improvements” since then have been cosmetic and annoying – never asking, always telling. They make it virtually impossible to talk to a human being and always have. Their “help” system is a joke and always has been, and gets only worse by the year. That said, their overall reliability is outstanding and always has been except for one day last week when no one could get into email at all for most of the day.
Ms. Mayer is famous for ending remote work and little else. That she refused to spend money on security is not surprising. The send a text every time you sign in is ludicrous when one uses the application from various desktops (there is a REASON people choose Internet Mail) around the area or world even, to have to have a mobile phone with you at every moment isn’t realistic nor reasonable. Other companies, businesses, have found secure ways to know who one is why on earth is this so difficult for Yahoo to understand? Ask somebody else how they handle password identifications. A bank or a business that uses secure login without forcing customers to change their password every 5 minutes might give Yahoo a clue as to how operate securely in the modern world. I would hate to have to move to Gmail permanently. I hope Yahoo doesn’t force a choice like that on its most loyal and long term customers.

I may be missing the point of your response but to not have a second factor whether that be a proper second factor or a secondary primary factor would not be ideal. The whole case for 2FA is for the very reason as discussed in this article. If your username and password is compromised which seems to be trivial in this day and age because of the lack of security with these on line accounts then having that verification code sent via text or generated using an app or an RSS token generator on a key fob prevents anyone else from using your account unless they got hold of this item too which is less likely. Many banks that I know of use either a key fob type generator or provide customers with USB payment card readers in order to log in on line. Is it also too inconvenient to have this on you in order to hopefully stay protected. We are not living back in the stone age, users have to make an effort too, Those of us who can should and those that cant should be assisted in some way by others they trust.

I was on the fence leaving Yahoo because it’s so daunting but after reading here about their lackluster security I probably will.

“What hasn’t Yahoo done to build a secure environment?” That statement is misused, I think. It implies that they have done everything they could to build a secure environment.

No surprises here. After using Yahoo as my main news aggregator for well over 15 years, a few months ago I deleted my Yahoo news bookmark. Shortly after Firefox announced their Private Browsing mode Yahoo started hammering me to install their Yahoo Firefox add-on. Since that smelled suspiciously like spyware to me I declined – but the popup kept interrupting me about every 3rd click for weeks until I said “enough” and left forever. Nice job Yahoo. They completely trashed their Yahoo Groups with their “Neo” interface to the point where massive numbers of user complaints were submitted – and ignored. I keep my Yahoo email as a requirement for participating in a few Groups, but it never gets used. I consider it a huge security risk as it must be on every spam list in the world – an amazing number of spam messages accumulate in an account that never sees real traffic. I have Group messages sent to my normal (non-Yahoo) email account. People have complained loud and long about lack of control over material that appears on a personalized news page but nope, Yahoo knows what you need to see and your opinion doesn’t count. As a result you get bombarded with trash from sources you aren’t interested in and you can’t say “stop it” except by leaving. So I left. The whole thing reeks of unbelievably bad management killing what should have been a leading company. And those executives make lots and lots of money for their bad decisions – how much does Marissa get to pocket from the deal with Verizon? Yahoo and AOL… two one-time powerhouses headed for the dust-bin of history, and rightfully so.

I cancelled my Yahoo account years ago after the third security breach. Each time, Yahoo recommended resetting my password, vowing that my security was the most important thing to them and promising they would really crack down on hackers this time. I stopped believing them and deleted my account. I urge all other Yahoo account users to do the same. In the end, it’s the only thing that will get the attention of those in charge. And if Marissa Mayer isn’t on her way out already, she should be fired.

Mayer’s actions or lack thereof constitute a level of criminal deference when a person entrusted in that capacity owes a certain level of diligence and security…throw her in jail, fine her ALL compensation received in the last 2 years and send a message this type of greed will no longer be tolerated!!

And yet they see it fit to pay her over $100 million to leave. What a joke.

She is probably one of the worst CEOs I ever seen in my lifetime. Totally incapable of doing her job and only think about how to drive the stocks up. I wish the FBI will indict her and throw her to jail for her greed.

I have been a Yahoo user by virtue of my AT&T DSL account since I left AOL many years ago. I have been upset at their management of my email account. This is the last straw–I will be getting another email provider as soon as I can.

Regards,

RS

Marissa Mayer: wasn’t she the one who made some inane comment about how using a PIN on her mobile device was just too hard? Geez… was she the inspiration for the infamous “Math is hard” Barbie doll?

For customers Yahoo got by taking over the “free email” offered by US “Baby Bells,” (that is, email in domains like bellsouth.net, sbcglobal.net, etc.), the Yahoo! password is also the password for your cellular, landline, and/or DSL/fiber internet connection. Change one and the other one changes–a nightmare until you actually figure this out.

If Marissa Mayer got any one of these carriers angry, a very large bloc of customers could be lost. That may have been a factor in her decision.

In today’s business world money rules. So, money rules should be imposed for security breaches. If there were a price list for security failures – like 10$ to be paid to each user per day of an undisclosed password leak and even more money for lost personal data – the CEOs would adjust their decisions on security investments.

Unfortunately security is the #1 issue with data, and one of the largest cost to bear; without being a direct revenue generator. Without understanding the cost of not having security, it does look like wasted money (at the board level). We know it does have value, as we see what happens without it, to often to late,,,,.
Analogy: Imagine buying a house, you have normal locks, why would you spend more on new locks than the house cost – then boom, you get broken into,, then it makes sense to spend more on the locks than the house, as there won’t be any value in the house without the locks.

Sometimes I wonder why People should be hounded to suffer with “strong ” passwords when they’re going to be stolen, anyway.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?