Yahoo!’s security shambles

Yahoo! insiders have told the New York Times that the web biz systematically refused money and fixes for its internal security team for fear of scaring off users.

The troubled California giant, which last week confessed that hackers had stolen the credentials for at least 500 million of its customer email accounts, routinely denied funding requests for better security and refused to implement basic security measures such as end-to-end encryption.

In 2014 Yahoo! hired security guru Alex Stamos as chief information security officer. He pushed hard for such encryption but was slapped down by management, who were worried that it would lose the ability to scan and index users' messages.

“I’m not particularly thrilled with building an apartment building which has the biggest bars on every window,” Jeff Bonforte, Yahoo!’s senior veep for email, told the paper.

Nevertheless, Stamos instituted rigorous testing procedures for The Paranoids, as Yahoo!’s security team was known. But staff report he clashed with Mayer, who refused to hand over cash for more testing and installing an intrusion detection system and refused to perform an automatic reset of user passwords after an attack for fear of losing customers.

Which is somewhat ironic as at just that time hackers were harvesting huge amounts of Yahoo! customer database records. Yahoo! is now facing a class-action lawsuit and possible congressional investigation into how it allowed the hack to happen. ®


Biting the hand that feeds IT © 1998–2017