NYT: ‘Defending Against Hackers Took a Back Seat at Yahoo, Insiders Say’

Nicole Perlroth and Vindu Goel, reporting for the NYT:

[Alex Stamos, Yahoo’s former chief information security officer], also dispatched “red teams” of employees to break into Yahoo’s systems and report back what they found. At competitors like Apple and Google, the Yahoo Paranoids developed a reputation for their passion and contributions to collaborative security projects, like Threat Exchange, a platform created by Yahoo, Dropbox, Facebook, Pinterest and others to share information on cyberthreats.

But when it came time to commit meaningful dollars to improve Yahoo’s security infrastructure, Ms. Mayer repeatedly clashed with Mr. Stamos, according to the current and former employees. She denied Yahoo’s security team financial resources and put off proactive security defenses, including intrusion-detection mechanisms for Yahoo’s production systems. Over the last few years, employees say, the Paranoids have been routinely hired away by competitors like Apple, Facebook and Google.

Mr. Stamos, who departed Yahoo for Facebook last year, declined to comment. But during his tenure, Ms. Mayer also rejected the most basic security measure of all: an automatic reset of all user passwords, a step security experts consider standard after a breach. Employees say the move was rejected by Ms. Mayer’s team for fear that even something as simple as a password change would drive Yahoo’s shrinking email users to other services.

The Times’s sources are really throwing Mayer under the bus. Sounds like it might be deserved, but man, this is brutal. This report has prompted a “What did Yahoo know and when did they know it?” inquiry from Senator Pat Leahy.

Wednesday, 28 September 2016