[Alex Stamos, Yahoo’s former chief information security officer],
also dispatched “red teams” of employees to break into Yahoo’s
systems and report back what they found. At competitors like Apple
and Google, the Yahoo Paranoids developed a reputation for their
passion and contributions to collaborative security projects, like
Threat Exchange, a platform created by Yahoo, Dropbox, Facebook,
Pinterest and others to share information on cyberthreats.
But when it came time to commit meaningful dollars to improve
Yahoo’s security infrastructure, Ms. Mayer repeatedly clashed with
Mr. Stamos, according to the current and former employees. She
denied Yahoo’s security team financial resources and put off
proactive security defenses, including intrusion-detection
mechanisms for Yahoo’s production systems. Over the last few
years, employees say, the Paranoids have been routinely hired away
by competitors like Apple, Facebook and Google.
Mr. Stamos, who departed Yahoo for Facebook last year, declined to
comment. But during his tenure, Ms. Mayer also rejected the most
basic security measure of all: an automatic reset of all user
passwords, a step security experts consider standard after a
breach. Employees say the move was rejected by Ms. Mayer’s team
for fear that even something as simple as a password change would
drive Yahoo’s shrinking email users to other services.
The Times’s sources are really throwing Mayer under the bus. Sounds like it might be deserved, but man, this is brutal. This report has prompted a “What did Yahoo know and when did they know it?” inquiry from Senator Pat Leahy.